Developers behind the banking Trojan Vawtrak have begun obscuring some of their servers with Tor2Web, a move that’s added another degree of difficulty when it comes to uncovering their activity.
To this point the malware’s techniques – its evolution beyond banking websites, ability to break encryption, and steal login credentials – have been well documented, but now researchers with the security firm Fortinet claim the Trojan is hiding its servers in Tor2Web to help it better evade detection.
Tor2Web assists in running Tor’s services without directly connecting to the network, meaning that while users are still traceable, servers and machines using the Tor services it accesses are not.
The malware, which also goes by the name Neverquest, has a handful of DWORD values which correspond to domain names. The malware uses the values to generate randomized domain names, which ultimately wind up linking back to tor2web.org strings. The technique bucks the malware’s usual trend of using fixed command and control servers in its variants.
“If you know where to look, though, tracking and hunting these servers is hard, but possible,” Raul Alvarez, a researcher with the firm, wrote of the malware on Friday.
Banking Malware Vawtrak Spotted Using Tor2Web via @ThreatpostTweet
Having conducted an in-depth investigation of the malware for Virus Bulletin earlier this year Alvarez is no stranger to Vawtrak. In that write-up he likened its binaries, each which unfolds one after another, to a Russian nesting doll.
Layers of the malware subsequently thwart antimalware apps, restrict permissions, and ensure it sticks around after the victim restarts their machine.
Last year saw Vawtrak first become a multifaceted banking Trojan. It added advanced web-inject capabilities and became skilled at gathering information like social security numbers and PINs before eventually maturing and moving beyond banks to social media and retailers.