Attackers behind the Vawtrak banking Trojan have been keeping busy, updating the malware over the last few weeks with new a domain generation algorithm (DGA) and SSL pinning capabilities.
Research published by security firm Fidelis on Tuesday explains the updates and breaks down how Vawtrak’s DGA generates domains, connects to them, and validates their certificates. Researchers looked at two samples they observed on July 28 and Aug. 1.
The latest version of Vawtrak features a two-stage command and control determination. The DGA-hosted site serves a list of domains that are cycled through for the command and control server, while the first active domain returns another static list.
“To further complicate this new C2 handoff, the developers have added another section, which when decoded, will have a list of C2 domains that the bot will also use for C2 communications,” says the report, written by Fidelis’ Jason Reeves.
Researchers with PhishLabs also discovered at the end of July that the malware was using a DGA to identify its command and control server. Fidelis’ research takes the research a step further and describes how they were able to reverse engineer the algorithm.
It’s unclear what took Vawtrak’s creators so long to implement a DGA, a common technique used across the cybercrime landscape, especially by botnets, but experts with the firm suggest its because their previous efforts may have been disrupted.
“We don’t have insight into specifically why they adopted a DGA right now, but it could be related to previous campaigns getting disrupted because their infrastructure was confiscated or sinkholed,” Hardik Modi, Director of Threat Research at Fidelis Cybersecurity told Threatpost on Monday, “It’d be a logical response to such an action by law enforcement or other security researchers.”
In addition to a DGA, the Trojan has also adopted SSL certificate checking, or pinning, something that enables the malware to bypass potential SSL man-in-the-middle situations, according to the firm. SSL pinning usually adds an extra step to certificate validation to ensure a connection is trustworthy.
Researchers claim the latest Vawtrak DLL has the code to set up an HTTPS connection, likely to protect its command and control communications. On top of that, the Trojan can also verify the certificate it receives from the command and control server. From the Fidelis report:
It adds up all the characters in the Common Name and then divides the byte by 0x1a and adds 0x61, which should match the first character (Figure 5). It also uses a public key from the aforementioned initial inject header to verify the signature hash that was passed in the SubjectKeyIdentifier field of the certificate.
While the use of a DGA is fairly standard in Trojans like this, the technique employed by Vawtrak to check certificates is still in its infancy, according to Modi.
“Its use is still fairly sparse in our observation,” Modi said, adding that his team has seen it used more in targeted espionage tools than in the broader crime space.
The fact that criminals have tweaked Vawtrak, sometimes referred to as Neverquest, to cover their tracks isn’t too surprising. Attackers behind the Trojan have gone to great lengths to obscure their servers over the last few years. Last June researchers noticed the Trojan was hiding some of its servers in Tor2Web to better evade detection.
Modi said the Trojan has mostly been distributed through malicious spam emails but claims its also been distributed via exploit kits as well.
“They might be gauging for success before transitioning the new tooling to exploit kits,” Modi said.