Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Vawtrak Banking Trojan Uses SSL Pinning, DGA

A new version of the Vawtrak banking Trojan includes some significant improvements, such as a domain generation algorithm (DGA) and additional protection for command and control communications.

A new version of the Vawtrak banking Trojan includes some significant improvements, such as a domain generation algorithm (DGA) and additional protection for command and control communications.

According to researchers at security firm Fidelis, the new version of Vawtrak includes a DGA that generates .ru domains with a length ranging between 7 and 12 characters (excluding the domain suffix). The domain names are generated using a pseudorandom number generator (PRNG) found in the Trojan’s loader.

Another noteworthy feature is the use of HTTPS to protect C&C communications. While this is not uncommon, Vawtrak also leverages certificate pinning, or SSL pinning, which is fairly unusual.

Normally, when an SSL connection is made, the client checks if the server’s certificate matches the requested hostname and that it has a verifiable chain of trust. SSL pinning provides extra protection against man-in-the-middle (MitM) attacks by ensuring that only a certificate specified by the user is accepted.

In the case of Vawtrak, the use of SSL pinning helps the malware evade detection by enterprise security solutions that use their own certificates to intercept communications.

In order to ensure that no other certificates are accepted, the Trojan conducts some checks based on the Common Name, which identifies the domain names associated with the certificate. It also uses a public key found in a header from the initial inject performed by the malware loader.

“Vawtrak has been a very successful banking trojan, delivered via both mass-spam campaigns as well as through exploit kits. Keeping this in consideration, it’s not surprising that new features and techniques are being introduced. The use of DGAs and TLS is widespread across various crime families, but SSL pinning is still rare,” Fidelis said in a blog post.

Vawtrak, also known as Neverquest and Snifula, has been used to target online banking customers from across the world. The threat has been around for several years and it has been continually improved by its developers.

Related: Vawtrak Banking Trojan Uses Windows PowerShell, Macros in Infection Routines

Related: Canadian Users Targeted With Vawtrak Banking Trojan

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.