A new variant of the Vawtrak banking Trojan uses HTTPS to secure its command and control communications, and it...
includes support for SSL certificate pinning to evade detection in enterprise environments.
As researchers continue to discover more about the deployment of new features in Vawtrak, the Trojan's developers continue to add new security features to the sophisticated malware platform. Vawtrak's incorporation of SSL certificate pinning, reported by Fidelis Cybersecurity, follows the recent PhishLabs' report that Vawtrak developers had added a domain generation algorithm (DGA) to the Trojan that is marketed as crimeware as a service and sold privately to malicious actors.
"Vawtrak has been a very successful banking Trojan delivered via both mass spam campaigns, as well as through exploit kits," wrote Jason Reaves, security researcher at Fidelis Cybersecurity, based in Bethesda, Md., in a blog post. "Considering this, it's not surprising that actors are adding new features. While the use of DGAs and TLS [Transport Layer Security] is widespread across various crime families, SSL pinning is still rare."
The Fidelis report also analyzed the new domain generation algorithm first reported earlier this month by PhishLabs, the Charleston, S.C., cybersecurity firm. Fidelis' analysis revealed Vawtrak now uses a two-tier command and control discovery infrastructure, making it more difficult to track and block the malware from exfiltrating stolen banking credentials or updating malware code.
Hardik Modi, director of threat research at Fidelis, noted that the DGA observed in Vawtrak was "a two-stage command-and-control determination -- the DGA creates the full list of domains and the first active domain returns another, static list."
"DGAs are common across the crime landscape," Modi said. Though there was no indication of the reason why Vawtrak developers decided to add a domain generation algorithm now, Modi suggested "it could be related to previous campaigns getting disrupted because their infrastructure was confiscated or sinkholed."
As for the use of SSL pinning in malware, Modi said it "is still fairly sparse in our observation. We have noted certificate checking in more targeted espionage tools, but don't have examples from the broader crime space."
Who is behind Vawtrak?
While new features and capabilities have been added to Vawtrak, it's still unclear exactly who is behind the notorious banking Trojan. "Vawtrak has a large number of modules and targets a broad array of banking and enterprise resources," Modi said. "The frequency at which updates are produced suggests dedicated development resources to us."
King Salemno, the PhishLabs malware researcher who first reported Vawtrak was using a DGA, told SearchSecurity by email, "We believe Vawtrak is maintained by Russian threat actors with experience in both cybercrime and banking." Salemno added that the Vawtrak malware "has a long history, with roots going back to the mid-2000s. The ongoing prevalence, technical skill and life span of the Trojan suggest a small but knowledgeable development team, likely ranging from three to seven people."
"All popular banking Trojans, including Vawtrak, have crews or individuals behind them constantly investing in their 'products,'" Salemno said. "If they are not updated or maintained in the current environment, they become irrelevant. The Vawtrak group has shown a very strong commitment to maintaining its strong position against other contenders."
Defending against Vawtrak
Researchers agreed Vawtrak is being distributed by a number of different vectors. "Vawtrak has recently been seen deployed as a second-stage payload via the Pony Loader -- also known as Fareit," Salemno said. "The initial infection vector -- the payload dropping Pony -- to this chain of attack has been observed from targeted attacks using weaponized Microsoft Word documents that install Bartalex."
"Our most recent observations with the techniques in the blog post were distributed using spam," Modi said. "But Vawtrak is certainly being distributed using exploit kits, too. They might be gauging for success before transitioning the new tooling to [exploit kits]."
"The current campaign where we've seen the latest updates are via spam messages with résumé, a bank statement and invoice themes."
Modi added that enterprises should be aware with the introduction of SSL certificate checking to Vawtrak, it was possible for the attackers to bypass SSL decryption technologies. "The ability to inspect SSL certificates is invaluable in these scenarios."
Salemno suggested enterprises could "protect themselves through defensive training methods that will make the users more security-conscious in an effort to weed out suspicious activity." He also suggested a good threat feed could help contain or block threats like Vawtrak.
"Banking Trojans rely on capturing credentials when victims access online banking," Modi said. "Apart from offering classic online hygiene advice, I'd say that it's tremendously beneficial to separate banking access from at-risk systems, perhaps through the use of dedicated computers or virtual machines, or at a minimum, browsers, for web surfing and online banking access."
Find out more about how command and control servers are used to manage distributed malware.
Read more about how certificate pinning helps prevent man-in-the-middle attacks.