Banking Trojans have fallen out of the threat spotlight lately, thanks to all of the shine going to ransomware, but they are still out there doing their business. And in some cases, like the venerable Vawtrak malware, the authors are making important and interesting tweaks to their creations to stay ahead of the defenders.
Vawtrak is one of the better-known banking Trojans in circulation, and it has been making the rounds since at least 2014. Like most of its kin, Vawtrak typically is delivered through spam campaigns, and sometimes through exploit kits. The malware has evolved over time, adding new features and improving various aspects of its operation. Researchers at Fidelis Cybersecurity have analyzed a new version of Vawtrak and found that it now includes both a new domain-generation algorithm and certificate pinning for more secure communications between the infected machines and the command-and-control servers.
Many strains of malware use SSL-encrypted channels to communicate with their C2 servers, but the concept of certificate pinning is still relatively new. Certificate pinning allows the malware operators to specify which certificate is acceptable for the C2 servers issuing commands to infected clients, which helps prevent researchers from intercepting communications with a forged certificate. The Vawtrak creators have implemented this mechanism to protect their infrastructure from infiltration by researchers.
“This new Vawtrak DLL contains code for performing an HTTPS connection as well, but it also performs some checks on the certificate it receives from the C2 server. It adds up all the characters in the Common Name and then divides the byte by 0x1a and adds 0x61, which should match the first character (Figure 5). It also uses a public key from the aforementioned initial inject header to verify the signature hash that was passed in the SubjectKeyIdentifier field of the certificate,” Jason Reeves of Fidelis Threat Research wrote in an analysis of the malware.
The other main addition to the latest version of Vawtrak is the DGA, a function that automatically generates new domains for the malware to user for communications. DGAs have been in use for a long time and they’re a somewhat effective tool for keeping researchers off-balance when trying to track C2 infrastructure. But researchers usually are able to determine the way the algorithm works and then determine which domains the malware will generate. Vawtrak uses a pseudorandom number generator called the Linear Congruential Generator as part of its domain generation routine.
“The routine takes a seed and passes it through the LCG once, dividing the result by 5 and using the remainder + 7 as the length of the domain to be generated — which means our domain lengths fall within the range of [7,12] in length (not counting the TLD). Once the length is determined, the result of the previous PRNG is passed into another. The result is converted to a character using the formula ((result % 26) + 97),” Reeves said.