Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Vawtrak Banking Trojan Uses SSL Pinning, DGA

A new version of the Vawtrak banking Trojan includes some significant improvements, such as a domain generation algorithm (DGA) and additional protection for command and control communications.

A new version of the Vawtrak banking Trojan includes some significant improvements, such as a domain generation algorithm (DGA) and additional protection for command and control communications.

According to researchers at security firm Fidelis, the new version of Vawtrak includes a DGA that generates .ru domains with a length ranging between 7 and 12 characters (excluding the domain suffix). The domain names are generated using a pseudorandom number generator (PRNG) found in the Trojan’s loader.

Another noteworthy feature is the use of HTTPS to protect C&C communications. While this is not uncommon, Vawtrak also leverages certificate pinning, or SSL pinning, which is fairly unusual.

Normally, when an SSL connection is made, the client checks if the server’s certificate matches the requested hostname and that it has a verifiable chain of trust. SSL pinning provides extra protection against man-in-the-middle (MitM) attacks by ensuring that only a certificate specified by the user is accepted.

In the case of Vawtrak, the use of SSL pinning helps the malware evade detection by enterprise security solutions that use their own certificates to intercept communications.

In order to ensure that no other certificates are accepted, the Trojan conducts some checks based on the Common Name, which identifies the domain names associated with the certificate. It also uses a public key found in a header from the initial inject performed by the malware loader.

“Vawtrak has been a very successful banking trojan, delivered via both mass-spam campaigns as well as through exploit kits. Keeping this in consideration, it’s not surprising that new features and techniques are being introduced. The use of DGAs and TLS is widespread across various crime families, but SSL pinning is still rare,” Fidelis said in a blog post.

Vawtrak, also known as Neverquest and Snifula, has been used to target online banking customers from across the world. The threat has been around for several years and it has been continually improved by its developers.

Advertisement. Scroll to continue reading.

Related: Vawtrak Banking Trojan Uses Windows PowerShell, Macros in Infection Routines

Related: Canadian Users Targeted With Vawtrak Banking Trojan

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.