At the end of July, the PhishLabs Research, Anaysis, and Intelligence Division (R.A.I.D.) found two major changes in the codebase of Vawtrak (a.k.a. Neverquest2) that significantly increased the banking Trojan’s persistence and the risk it poses for victims. We have discovered that the newest iteration of Vawtrak is now using a domain generation algorithm (DGA) to identify its command and control (C2) server. By using an algorithm instead of hardcoded domains, automated attempts at mitigation are rendered inadequate. Additionally, this new DGA implementation is bundled inside of a codebase that appears smaller and more efficient possibly because of compiler optimization. This optimization prevents malware researchers from using their pre-established Vawtrak analysis techniques during the reversing process to assist with the mitigation of the threat.
To assist identify the changes to the new Vawtrak codebase, the following samples were analyzed:
With Vawtrak's DGA, a list of domains is calculated using an embedded formula. The infected computer goes down that domain list looking for a server that is still operational and responsive. This makes finding the malicious servers that collect the exfiltrated data much more difficult. Basic analysis tools such as IDS, next generation firewalls, and sandboxes can only be used to blacklist domains active at the time of execution during analysis. Without reverse engineering the malware and cracking the algorithm, future domains cannot be blocked until they have been found communicating with an infected host. Without knowing their domain, it is impossible to either bring the server down or prevent communication. The longer criminals have a server collecting credentials, the more money they can make. By hiding their server domains behind an algorithm, the campaign becomes more resilient and a much more significant threat.
Figure No. 1 – Communication path before and after Vawtrak's DGA implementation
During the examination of the code reverse engineered from the new Vawtrak payloads, we have identified the process associated with the new algorithm. The following image (Image No. 1) shows the first function call made before the process of domain generation:
Image No. 1 – Initial Function Call Before Domain Generation Begins
Subsequently, the following function (Image No. 2) is called in an effort to actually begin the Domain Generation Process. Inside a loop, a third function called ‘GenerateDomainPrefix’ is called to generate the domain itself (without the TLD (top-level domain). This call will return back to this function where a string suffix (the TLD) is appended to the end. In this case, the suffix is always “.ru”:
Image No. 2 – Function that Begins the Domain Generation Process
The next image contains the actual Domain Generation Algorithm (DGA). The variable ‘v4’ is assigned a random number between 0 and 4. The number ‘7’ is then added to this variable and stored in another variable referred to as ‘v6’. In essence, this function is generating domain names between 7 and 11 bytes long. This function is called over and over again via a loop which is notated in Image No. 2. This process continues until 150 domains have been generated. This number was predetermined by the threat actor, as this value was placed into the EDX register before processing began.
Image No. 3 – Vawtrak's Domain Generation Algorithm (DGA)
After the algorithm successfully generates the domains, you will have a list similar to the following:
The new Vawtrak samples show signs of compiler optimization, likely done to hinder analysis and reversing or to even shrink the payload size. This process changes size and increases the difficulty of pattern correlation with previously analyzed samples.
Figure No. 2 – Vawtrak Compiler Optimization
Shifts in Vawtrak’s tactics likely reflect a desire by the threat actors to remain relevant in the competitive cybercrime-as-a-service market by using DGA and code optimization to significantly lengthen the campaign’s persistence.