The Fidelis Threat Research team is comprised of expert security researchers whose sole focus is generating accurate and actionable intelligence to better secure customers. Together, they represent over... Read More
Comments
November 12, 2016
Vawtrak DGA Round 2
Vawtrak, a.k.a. Neverquest, has been a prominent trojan in the banking world and numerous researchers have reported their findings about this malware. In August 2016, we blogged about the addition of a DGA to the banking trojan known as Vawtrak. The actors behind Vawtrak reacted to this attention by adjusting their tactics – enough to warrant a change in their DGA implementation. On November 9, 2016 the Threat Research Team at Fidelis Cybersecurity noticed a Vawtrak sample that appeared to be using an updated implementation of the DGA routine.
While the differences between the DGA algorithms aren’t significant, the changes are just enough to throw off our previous analysis.
What stayed the same:
Domain length calculation
Use of LCG
Data locations in inject header
What changed:
In the second PRNG call before entering the loop, the routine now uses a parity flag to determine whether it will start with a vowel or a consonant. This is a common trick employed by DGA writers to attempt to make their domains look less like a DGA. The current implementation of this routine uses a weight on the parity. Whenever it hits the block to add a vowel, it makes the next character add 1 or 2 consonants.
Another slight update is that for every iteration of the inner loop, it increments the seed. In the case of the sample analyzed here, it does so by a static value of 2.
A side by side comparison makes these differences clear:
Figure 1 Vawtrak DGA new (left) and old (right) comparison
To demonstrate this updated algorithm, we have the supplied Python snippet:
def PRNG(seed):
seed = (seed * 0x41c64e6d) + 0x3039
return (seed & 0xFFFFFFFF)
def vawtrak_dga_new(seed, tld, num_domains):
#Generate domains
seed_mask = 0x7fffffff
cons = “cdfghlmnrstw”
vowels = “aeiou”
for i in range(num_domains):
seed = PRNG(seed)
rem = (seed & seed_mask) % 5
seed = PRNG(seed)
parity = (seed & seed_mask) & 1
rem += 7
dom = “”
for j in range(rem):
seed = (seed + 2) & 0xFFFFFFFF
seed = PRNG(seed)
tmp = seed & seed_mask
if parity>0:
parity -= 1
dom += cons[tmp % 12]
else:
dom += vowels[tmp % 5]
seed = PRNG(seed)
parity = ((seed & seed_mask) & 1) + 1
print(dom+tld)
Conclusion
Vawtrak has been a very successful banking trojan delivered via both mass spam campaigns as well as through exploit kits. The developers appear willing to invest time and resources into protecting their bots and C2 infrastructure — and security teams, researchers and the banking industry should take note.
Decoders created as part of this analysis have been added to Fidelis Barncat.