Threat Research

Gazavat / Expiro DMSniff connection and DGA analysis

Securonix

Gazavat, also known at least partially as Expiro, is a multi-functional backdoor with code overlaps to DMSniff, including webinjection, form grabbing, and plugin loading. The analysis highlights a hard-to-detect DGA for C2 and a browser-extension delivery chain with credential harvesting and proxy/DDoS capabilities. Hashtags: #Gazavat #Expiro #DMSniff #DGA

Keypoints

  • Gazavat/Expiro is a multifunctional backdoor with features such as loading other executables, plugins (hash-cracking and DMSniff), and webinjection/webfakes.
  • The malware shows a close connection to DMSniff, notably via the bot id passed in the User-Agent header of requests.
  • A Domain Generation Algorithm (DGA) generates C2 domains, including obfuscated string logic and hardcoded pieces, to contact command servers.

MITRE Techniques

  • [T1568.002] Domain Generation Algorithms – The algorithm creates 9 char values which will be a mix of vowels and consonants, along with the hardcoded piece that was all a single char value stored as a C-style string. ‘The algorithm creates 9 char values which will be a mix of vowels and consonants, along with the hardcoded piece that was all a single char value stored as a C-style string.’
  • [T1071.001] Web Protocols – DMSniff uses the User-Agent header to pass the bot id in HTTP traffic. ‘User-Agent: Mozilla/4.0 (compatible; MSIE 11.0; DSNF_2768=NT6.1.76016.1.7601-C386B17D.ENU.26F427F6-736680-955904-14CC1624=)’.
  • [T1056.003] Input Capture – Web Form Grabbing – The article lists ‘Form grabbing’ as a capability of Gazavat.
  • [T1090] Proxy – Convert infection into proxy – ‘Convert infection into proxy’ indicates using a proxy to route C2 communications.
  • [T1562.001] Impair Defenses – Disable Security Tools – The analysis notes AV-related components (e.g., WinDefend, Windows Defender) being targeted or affected.
  • [T1499] Denial of Service – DDOS – The malware includes a DDOS capability described as ‘DDOS’.

Indicators of Compromise

  • [Hash] DMSniff sample – 7d69e2c4e75c76c201d40dbc04b9f13b2f47bf9667ce3b937dd4b1d31b11a8af
  • [Hash] Gazavat sample – a3f886db3d2691794e9ec27dca65dcc5d96e6095ec1de5275967a6e6d156d1f7
  • [Hash] Gazavat sample – 08c656125a3c1abdb74ede3712aecca1a5e4a48984cae78aa60cb833f7231295
  • [Domain] C2 domains – vietwarok.in, fari-khan.in, and 2 more domains
  • [Domain] Browser-extension traffic domains – systemtime.ru, systemsync.ru, and 8 more domains

Read more: https://medium.com/walmartglobaltech/gazavat-expiro-dmsniff-connection-and-dga-analysis-8b965cc0221d

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint