A new version of the Vawtrak banking Trojan includes some significant improvements, such as a domain generation algorithm (DGA) and additional protection for command and control communications.
According to researchers at security firm Fidelis, the new version of Vawtrak includes a DGA that generates .ru domains with a length ranging between 7 and 12 characters (excluding the domain suffix). The domain names are generated using a pseudorandom number generator (PRNG) found in the Trojan’s loader.
Another noteworthy feature is the use of HTTPS to protect C&C communications. While this is not uncommon, Vawtrak also leverages certificate pinning, or SSL pinning, which is fairly unusual.
Normally, when an SSL connection is made, the client checks if the server’s certificate matches the requested hostname and that it has a verifiable chain of trust. SSL pinning provides extra protection against man-in-the-middle (MitM) attacks by ensuring that only a certificate specified by the user is accepted.
In the case of Vawtrak, the use of SSL pinning helps the malware evade detection by enterprise security solutions that use their own certificates to intercept communications.
In order to ensure that no other certificates are accepted, the Trojan conducts some checks based on the Common Name, which identifies the domain names associated with the certificate. It also uses a public key found in a header from the initial inject performed by the malware loader.
“Vawtrak has been a very successful banking trojan, delivered via both mass-spam campaigns as well as through exploit kits. Keeping this in consideration, it’s not surprising that new features and techniques are being introduced. The use of DGAs and TLS is widespread across various crime families, but SSL pinning is still rare,” Fidelis said in a blog post.
Vawtrak, also known as Neverquest and Snifula, has been used to target online banking customers from across the world. The threat has been around for several years and it has been continually improved by its developers.
Related: Vawtrak Banking Trojan Uses Windows PowerShell, Macros in Infection Routines
Related: Canadian Users Targeted With Vawtrak Banking Trojan
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Intel Boasts Attack Surface Reduction With New 13th Gen Core vPro Platform
- Dole Says Employee Information Compromised in Ransomware Attack
- High-Severity Vulnerabilities Found in WellinTech Industrial Data Historian
- CISA Expands Cybersecurity Committee, Updates Baseline Security Goals
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
Latest News
- Intel Co-founder, Philanthropist Gordon Moore Dies at 94
- Google Leads $16 Million Investment in Dope.security
- US Charges 20-Year-Old Head of Hacker Site BreachForums
- Tesla Hacked Twice at Pwn2Own Exploit Contest
- CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections
- Critical WooCommerce Payments Vulnerability Leads to Site Takeover
- PoC Exploit Published for Just-Patched Veeam Data Backup Solution Flaw
- CISA Gets Proactive With New Pre-Ransomware Alerts
