Vawtrak DGA Round 2

Vawtrak, a.k.a. Neverquest, has been a prominent trojan in the banking world and numerous researchers have reported their findings about this malware. In August 2016, we blogged about the addition of a DGA to the banking trojan known as Vawtrak. The actors behind Vawtrak reacted to this attention by adjusting their tactics – enough to warrant a change in their DGA implementation. On November 9, 2016 the Threat Research Team at Fidelis Cybersecurity noticed a Vawtrak sample that appeared to be using an updated implementation of the DGA routine.

The sample we analyzed was delivered by using Hancitor embedded in a Word Document with a recently documented technique of being loaded in memory.

DGA

While the differences between the DGA algorithms aren’t significant, the changes are just enough to throw off our previous analysis.

What stayed the same:

• Domain length calculation
• Use of LCG
• Data locations in inject header

What changed:

• In the second PRNG call before entering the loop, the routine now uses a parity flag to determine whether it will start with a vowel or a consonant. This is a common trick employed by DGA writers to attempt to make their domains look less like a DGA. The current implementation of this routine uses a weight on the parity. Whenever it hits the block to add a vowel, it makes the next character add 1 or 2 consonants.
• Another slight update is that for every iteration of the inner loop, it increments the seed. In the case of the sample analyzed here, it does so by a static value of 2.

A side by side comparison makes these differences clear:

Figure 1 Vawtrak DGA new (left) and old (right) comparison

To demonstrate this updated algorithm, we have the supplied Python snippet:

def PRNG(seed):

seed = (seed * 0x41c64e6d) + 0x3039

return (seed & 0xFFFFFFFF)

def vawtrak_dga_new(seed, tld, num_domains):

#Generate domains

seed_mask = 0x7fffffff

cons = “cdfghlmnrstw”

vowels = “aeiou”

for i in range(num_domains):

seed = PRNG(seed)

rem = (seed & seed_mask) % 5

seed = PRNG(seed)

parity = (seed & seed_mask) & 1

rem += 7

dom = “”

for j in range(rem):

seed = (seed + 2) & 0xFFFFFFFF

seed = PRNG(seed)

tmp = seed & seed_mask

if parity>0:

parity -= 1

dom += cons[tmp % 12]

else:

dom += vowels[tmp % 5]

seed = PRNG(seed)

parity = ((seed & seed_mask) & 1) + 1

print(dom+tld)

Conclusion

Vawtrak has been a very successful banking trojan delivered via both mass spam campaigns as well as through exploit kits. The developers appear willing to invest time and resources into protecting their bots and C2 infrastructure — and security teams, researchers and the banking industry should take note.

Decoders created as part of this analysis have been added to Fidelis Barncat.

References:

1) https://info.phishlabs.com/blog/vawtrak-/-neverquest2-adopts-new-methods-to-increase-persistence

2) https://fidelissecurity.com/threatgeek/archive/vawtrak-trojan-bank-it-evolving/

3) https://researchcenter.paloaltonetworks.com/2016/08/unit42-vb-dropper-and-shellcode-for-hancitor-reveal-new-techniques-behind-uptick/

4) https://isc.sans.edu/diary/Hancitor%2BMaldoc%2BBypasses%2BApplication%2BWhitelisting/21683

5) https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear

IOC data:

MacroDoc:

88d60c264a9c3426c081a2cb56e3a879

2e97ef42f24d6d8d53012c42029554061a7ab2537919e234f678c57fd4eccfd6

Hancitor:

d663b29237f954ff694b69ee31797095

8c3f4d16d09eeeab6feeab50ae82f928f2ff0b34f0a126c359f37d269f3f4214

Vawtrak:

19f8bc63e882fbe7affccd814602638b

edc45d14797e496726c2e27f127ac3e6b49efc5e6fc38e7459b651bcf173ecaf

Pony:

7378b75f2fe85f3eaad925d743d86543

7d4234e487eb5513e3dfcdfb00c90afa375af6a350e6f3232adcc40731b09365

Pony:

hxxp://tofrentaleft.ru/zapoy/gate.php

hxxp://lighfaransit.ru/zapoy/gate.php

hxxp://rendingrolhem.com/zapoy/gate.php

Hancitor:

hxxp://rendingrolhem.com/ls5/gate.php

hxxp://tofrentaleft.ru/ls5/gate.php

hxxp://lighfaransit.ru/ls5/gate.php

Hancitor downloads:

hxxp://www.lupaprod.com/wp-content/themes/invictus_3.3.3/pm.dll

hxxp://internetbudi.com.br/wp-content/plugins/googleanalytics/pm.dll

hxxp://triozift.nl/wp-admin/pm.dll

hxxp://timesessions.com.kosmos.ch-meta.net/wp-includes/pm.dll

hxxp://www.mindadv.com/wp-content/plugins/ninja-forms/pm.dll

hxxp://gailrobinsonconsulting.net/wp-content/themes/avamys/pm.dll

hxxp://www.lupaprod.com/wp-content/themes/invictus_3.3.3/inst.exe

hxxp://internetbudi.com.br/wp-content/plugins/googleanalytics/inst.exe

hxxp://triozift.nl/wp-admin/inst.exe

hxxp://timesessions.com.kosmos.ch-meta.net/wp-includes/inst.exe

hxxp://www.mindadv.com/wp-content/plugins/ninja-forms/inst.exe

hxxp://gailrobinsonconsulting.net/wp-content/themes/avamys/inst.exe

-Fidelis Cybersecurity Threat Team Researcher Jason Reaves