A new and improved variant of the infamous Vawtrak Banking Trojan has been recently spotted by malware researchers form the Fidelis security firm. The new Vawtrak version has received noteworthy upgrades like the SSL pinning.
The Fidelis malware team discovered that the latest Vawtrak is able to leverage on a DGA mechanism to generate “.ru” domains with a pseudorandom number generator (PRNG) discovered in the loader.
The Vawtrak Banking Trojan, also famous with the name Neverquest, has been used by cybercriminal gangs for several years now. With its help, numerous banking customers from all over the world have been targeted and attacked.
This new Vawtrak strain in noticed to include some very important upgrades including the ability to use the HTTPS protocol to protect communication with the control infrastructure. However, more surprising for the researcher was the fact that the Trojan leverages on certificate pinning which isn’t so common for any malware pieces.
This certificate pinning improvement really contributes in increasing the protection level against Man-in-the-Middle (MitM) attacks. The SSL pinning is executed in order detection of security solutions that use their own certificates to inspect the traffic to be avoided.
The newest version of Vawtrak does some Common Name-based checks, which allows the Trojan to connect only to legitimate C2 servers.
“This new Vawtrak DLL contains code for performing an HTTPS connection as well, but it also performs some checks on the certificate it receives from the C2 server. It adds up all the characters in the Common Name and then divides the byte by 0x1a and adds 0x61, which should match the first character (Figure 5). It also uses a public key from the aforementioned initial inject header to verify the signature hash that was passed in the SubjectKeyIdentifier field of the certificate.” – reads the Fidelis firm` blog post.
The Vawtrak Banking Trojan is being distributed both via exploit kits and huge spam waves.
“Vawtrak has been a very successful banking Trojan, delivered via both mass-spam campaigns as well as through exploit kits. Keeping this in consideration, it’s not surprising that new features and techniques are being introduced.” – continues the blog post – “The use of DGAs and TLS is widespread across various crime families, but SSL pinning is still rare.”
The non-stopping improvements and updates are making the Vawtrak both really effective and dangerous banking Trojan, as the SSL pinning is clearly an innovation to the malware stage, but, as it turns out, an efficient one.