The PhishLabs Blog

Vawtrak / Neverquest2 adopts new methods to increase persistence

Posted by King Salemno on Aug 5, '16

At the end of July, the PhishLabs Research, Anaysis, and Intelligence Division (R.A.I.D.) found two major changes in the codebase of Vawtrak (a.k.a. Neverquest2) that significantly increased the banking Trojan’s persistence and the risk it poses for victims. We have discovered that the newest iteration of Vawtrak is now using a domain generation algorithm (DGA) to identify its command and control (C2) server. By using an algorithm instead of hardcoded domains, automated attempts at mitigation are rendered inadequate. Additionally, this new DGA implementation is bundled inside of a codebase that appears smaller and more efficient possibly because of compiler optimization. This optimization prevents malware researchers from using their pre-established Vawtrak analysis techniques during the reversing process to assist with the mitigation of the threat.

To assist identify the changes to the new Vawtrak codebase, the following samples were analyzed:

  • MD5: 627914b5c8663ca5c3fef7be88c9f3f2
  • MD5: e75436d09b378f20de647ace1acd1d59
  • MD5: 96b53a34153a435d2eabdc3b528ed07d
  • MD5: 330e1ca4dfbdac16fd31c0667cee0d1a
  • MD5: 6c7d941f5b516ceb3d920b92f8d00c53

With Vawtrak's DGA, a list of domains is calculated using an embedded formula. The infected computer goes down that domain list looking for a server that is still operational and responsive. This makes finding the malicious servers that collect the exfiltrated data much more difficult. Basic analysis tools such as IDS, next generation firewalls, and sandboxes can only be used to blacklist domains active at the time of execution during analysis. Without reverse engineering the malware and cracking the algorithm, future domains cannot be blocked until they have been found communicating with an infected host. Without knowing their domain, it is impossible to either bring the server down or prevent communication.  The longer criminals have a server collecting credentials, the more money they can make. By hiding their server domains behind an algorithm, the campaign becomes more resilient and a much more significant threat.

Vawtrak's new DGA masks the C2 servers from basis malware analysis methods.Figure No. 1 – Communication path before and after Vawtrak's DGA implementation

During the examination of the code reverse engineered from the new Vawtrak payloads, we have identified the process associated with the new algorithm.  The following image (Image No. 1) shows the first function call made before the process of domain generation:

This is the first function call made in Vawtrak's code prior to generating C2 domains.
Image No. 1 – Initial Function Call Before Domain Generation Begins

Subsequently, the following function (Image No. 2) is called in an effort to actually begin the Domain Generation Process. Inside a loop, a third function called ‘GenerateDomainPrefix’ is called to generate the domain itself (without the TLD (top-level domain). This call will return back to this function where a string suffix (the TLD) is appended to the end. In this case, the suffix is always “.ru”:

This function in Vawtrak's code initiates the Domain Generation Process
Image No. 2 – Function that Begins the Domain Generation Process

The next image contains the actual Domain Generation Algorithm (DGA). The variable ‘v4’ is assigned a random number between 0 and 4. The number ‘7’ is then added to this variable and stored in another variable referred to as ‘v6’. In essence, this function is generating domain names between 7 and 11 bytes long. This function is called over and over again via a loop which is notated in Image No. 2. This process continues until 150 domains have been generated. This number was predetermined by the threat actor, as this value was placed into the EDX register before processing began.

Vawtrak uses a Domain Generation Algorithm that generates 150 domains.Image No. 3 – Vawtrak's Domain Generation Algorithm (DGA)

After the algorithm successfully generates the domains, you will have a list similar to the following:

ubmfotihexo.ru
czcdujuj.ru
rwjazota.ru
engnafgn.ru
zihubgx.ru
fonizwhgnqp.ru
jcxglwduji.ru

The new Vawtrak samples show signs of compiler optimization, likely done to hinder analysis and reversing or to even shrink the payload size. This process changes size and increases the difficulty of pattern correlation with previously analyzed samples.

Vawtrak's code is compiled using an optimized method that shrinks the payload size.Figure No. 2 – Vawtrak Compiler Optimization

Shifts in Vawtrak’s tactics likely reflect a desire by the threat actors to remain relevant in the competitive cybercrime-as-a-service market by using DGA and code optimization to significantly lengthen the campaign’s persistence. 

Topics: Threat Analysis, Threat Intelligence, Vawtrak, Banking Trojan, Neverquest2, Malware Analysis, R.A.I.D.

   

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Upcoming Events

Calendar_Mock_