Free Trial
Schedule Demo
The Fidelis Threat Research team is comprised of expert security researchers whose sole focus is generating accurate and actionable intelligence to better secure customers. Together, they represent over... Read More
Comments
Vawtrak, a.k.a. Neverquest, has been a prominent trojan in the banking world and numerous researchers have reported their findings about this malware. In August 2016, we blogged about the addition of a DGA to the banking trojan known as Vawtrak. The actors behind Vawtrak reacted to this attention by adjusting their tactics – enough to warrant a change in their DGA implementation. On November 9, 2016 the Threat Research Team at Fidelis Cybersecurity noticed a Vawtrak sample that appeared to be using an updated implementation of the DGA routine.
The sample we analyzed was delivered by using Hancitor embedded in a Word Document with a recently documented technique of being loaded in memory.
While the differences between the DGA algorithms aren’t significant, the changes are just enough to throw off our previous analysis.
What stayed the same:
What changed:
A side by side comparison makes these differences clear:
Figure 1 Vawtrak DGA new (left) and old (right) comparison
To demonstrate this updated algorithm, we have the supplied Python snippet:
def PRNG(seed):
seed = (seed * 0x41c64e6d) + 0x3039
return (seed & 0xFFFFFFFF)
def vawtrak_dga_new(seed, tld, num_domains):
#Generate domains
seed_mask = 0x7fffffff
cons = “cdfghlmnrstw”
vowels = “aeiou”
for i in range(num_domains):
seed = PRNG(seed)
rem = (seed & seed_mask) % 5
seed = PRNG(seed)
parity = (seed & seed_mask) & 1
rem += 7
dom = “”
for j in range(rem):
seed = (seed + 2) & 0xFFFFFFFF
seed = PRNG(seed)
tmp = seed & seed_mask
if parity>0:
parity -= 1
dom += cons[tmp % 12]
else:
dom += vowels[tmp % 5]
seed = PRNG(seed)
parity = ((seed & seed_mask) & 1) + 1
print(dom+tld)
Vawtrak has been a very successful banking trojan delivered via both mass spam campaigns as well as through exploit kits. The developers appear willing to invest time and resources into protecting their bots and C2 infrastructure — and security teams, researchers and the banking industry should take note.
Decoders created as part of this analysis have been added to Fidelis Barncat.
References:
1) https://info.phishlabs.com/blog/vawtrak-/-neverquest2-adopts-new-methods-to-increase-persistence
2) https://fidelissecurity.com/threatgeek/archive/vawtrak-trojan-bank-it-evolving/
4) https://isc.sans.edu/diary/Hancitor%2BMaldoc%2BBypasses%2BApplication%2BWhitelisting/21683
5) https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear
IOC data:
MacroDoc:
88d60c264a9c3426c081a2cb56e3a879
2e97ef42f24d6d8d53012c42029554061a7ab2537919e234f678c57fd4eccfd6
Hancitor:
d663b29237f954ff694b69ee31797095
8c3f4d16d09eeeab6feeab50ae82f928f2ff0b34f0a126c359f37d269f3f4214
Vawtrak:
19f8bc63e882fbe7affccd814602638b
edc45d14797e496726c2e27f127ac3e6b49efc5e6fc38e7459b651bcf173ecaf
Pony:
7378b75f2fe85f3eaad925d743d86543
7d4234e487eb5513e3dfcdfb00c90afa375af6a350e6f3232adcc40731b09365
Pony:
hxxp://tofrentaleft.ru/zapoy/gate.php
hxxp://lighfaransit.ru/zapoy/gate.php
hxxp://rendingrolhem.com/zapoy/gate.php
Hancitor:
hxxp://rendingrolhem.com/ls5/gate.php
hxxp://tofrentaleft.ru/ls5/gate.php
hxxp://lighfaransit.ru/ls5/gate.php
Hancitor downloads:
hxxp://www.lupaprod.com/wp-content/themes/invictus_3.3.3/pm.dll
hxxp://internetbudi.com.br/wp-content/plugins/googleanalytics/pm.dll
hxxp://triozift.nl/wp-admin/pm.dll
hxxp://timesessions.com.kosmos.ch-meta.net/wp-includes/pm.dll
hxxp://www.mindadv.com/wp-content/plugins/ninja-forms/pm.dll
hxxp://gailrobinsonconsulting.net/wp-content/themes/avamys/pm.dll
hxxp://www.lupaprod.com/wp-content/themes/invictus_3.3.3/inst.exe
hxxp://internetbudi.com.br/wp-content/plugins/googleanalytics/inst.exe
hxxp://triozift.nl/wp-admin/inst.exe
hxxp://timesessions.com.kosmos.ch-meta.net/wp-includes/inst.exe
hxxp://www.mindadv.com/wp-content/plugins/ninja-forms/inst.exe
hxxp://gailrobinsonconsulting.net/wp-content/themes/avamys/inst.exe
-Fidelis Cybersecurity Threat Team Researcher Jason Reaves