Security experts from Fidelis firm spotted a new version of the Vawtrak banking Trojan that includes significant improvements such as the SSL pinning.
Malware researchers from security firm Fidelis have spotted a new strain of the infamous Vawtrak banking Trojan that leverages on a DGA mechanism to generates .ru domains with a pseudorandom number generator (PRNG) discovered in the loader.
Vawtrak, aka Neverquest, has been around for several years, it was used by criminal organizations to target online banking customers worldwide.
The new variant of the Vawtrak banking trojan includes new significant improvements such as the use of the HTTPS protocol to protect communication with the control infrastructure. The threat leverages on certificate pinning which isn’t so common for malware.
The SSL pinning provides an addition level of protection against man-in-the-middle attacks, in the specific case, the certificate pinning is implemented to avoid detection of security solutions that use their own certificates to inspect the traffic.
The new variant of the Vawtrak banking Trojan conducts some checks based on the Common Name, in this way the threat is able to establish connections only to legitimate C2 servers.
“This new Vawtrak DLL contains code for performing an HTTPS connection as well, but it also performs some checks on the certificate it receives from the C2 server. It adds up all the characters in the Common Name and then divides the byte by 0x1a and adds 0x61, which should match the first character (Figure 5). It also uses a public key from the aforementioned initial inject header to verify the signature hash that was passed in the SubjectKeyIdentifier field of the certificate.” states theblog postpublished by the Fidelis firm.
The threat was delivered via both mass-spam campaigns, threat actors behind it also spread the malware through exploit kits.
“Vawtrak has been a very successful banking trojan, delivered via both mass-spam campaigns as well as through exploit kits. Keeping this in consideration, it’s not surprising that new features and techniques are being introduced.” continues the blog post. “The use of DGAs and TLS is widespread across various crime families, but SSL pinning is still rare,”
Vawtrak is an efficient banking trojan thanks to the continuous improvements, the SSL pinning recently introduced represents a novelty in the banking malware landscape.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.