The operators of Vawtrak, a banking Trojan that has been around for a few years, have recently improved the malware’s persistence mechanism, PhishLabs researchers warn.
Also known as Neverquest2, the Trojan has received various updates over the years, and was also observed expanding its targets. Now, PhishLabs researchers discovered that the threat started using a domain generation algorithm (DGA) to identify its command and control (C&C) server, compared to the previous variants that used hardcoded domains, thus making mitigation easier.
In addition to DGA, the new Vawtrak variant also has a smaller codebase, most probably because of compiler optimization. PhishLabs notes that this optimization makes it difficult for researchers to use previous Vawtrak analysis techniques to inspect the threat and to ensure efficient mitigation.
Courtesy of DGA, Vawtrak now calculates a list of C&C domains based on an embedded formula, after which it goes through the list to connect to a server that is operational and responsive. From a researcher’s perspective, this makes it difficult to find the malicious servers that collect exfiltrated data, because basic tools can be used to blacklist only domains active at the time of execution during analysis.
Basically, researchers need to crack the DGA to block future domains and to ensure that the Trojan cannot communicate with the C&C server, as it happened with the Mad Max botnet's DGA last month. Recently, cybercriminals have started using new DGAs in live attacks, some creating domain names using random characters and digits.
“The longer criminals have a server collecting credentials, the more money they can make. By hiding their server domains behind an algorithm, the campaign becomes more resilient and a much more significant threat,” PhishLabs says.
After taking a close look at the DGA, security researchers discovered the TLD (top-level domain) appended to the actual domain would always be “.ru”. The algorithm would call the domain generation function in a loop until 150 domains have been generated, a number that was predetermined by the threat actor. The generated domains have names between 7 and 11 bytes long, researchers also note.
In addition, the newly observed Vawtrak samples show that the malware’s authors use a compiler optimization, most probably in an attempt to hinder analysis or looking to shrink the payload size. This change makes it difficult to correlate the new variants with the patterns found in previously observed samples.
Earlier this year, researchers observed that Tinba, another piece of malware targeting financial institutions, also started using DGA for persistence. While Vawtrak’s DGA can generate up to 150 domains, other malware was seen generating thousands of domains each day.