The cyclical relationship between threat actors and security professionals begins with the creation of a new attack technique, followed by the discovery of that technique by the security community, and then a refashioning of the manner of attack or creation of another novel approach by threat actors.
Note to readers: PhishLabs will be represented by Paul Black at MalCon 2016 in Puerto Rico from October 18-21. At MalCon 2016, Paul will review the evolution of malware targeted at banks and financial institutions, reviewing notable trending data and methods to combat them. Contact PhishLabs for ongoing concern, questions and a deeper dive into the latest remediation techniques.
The cat and mouse game between malware researchers and threat actors operating banking Trojans began with the creation and propagation of the Zeus banking trojan in 2007. Since Zeus’s release, the number of banking trojans has increased continually, yet the anti-analysis mechanisms used by cybercriminals to obstruct researchers appear to have plateaued.
At the end of July, the PhishLabs Research, Anaysis, and Intelligence Division (R.A.I.D.) found two major changes in the codebase of Vawtrak (a.k.a. Neverquest2) that significantly increased the banking Trojan’s persistence and the risk it poses for victims. We have discovered that the newest iteration of Vawtrak is now using a domain generation algorithm (DGA) to identify its command and control (C2) server. By using an algorithm instead of hardcoded domains, automated attempts at mitigation are rendered inadequate. Additionally, this new DGA implementation is bundled inside of a codebase that appears smaller and more efficient possibly because of compiler optimization. This optimization prevents malware researchers from using their pre-established Vawtrak analysis techniques during the reversing process to assist with the mitigation of the threat.