Free Trial
Schedule Demo
The Fidelis Threat Research team is comprised of expert security researchers whose sole focus is generating accurate and actionable intelligence to better secure customers. Together, they represent over... Read More
Comments
On May 12, 2016, Fidelis Cybersecurity witnessed an update to Vawtrak malware, a banking trojan, spread via an email campaign using subpoena- and lawsuit-related themes. The configurations observed in this campaign point to an attempt to harvest user credentials when visiting accounts on major financial websites in the U.S. and U.K., such as ADP, Capital One, Citibank, Lloyds Bank, etc. The downloaded Vawtrak malware displays characteristics unlike previously seen variants, including new obfuscation and potential antivirus injection. The full list of targets and details around the technical evolution are discussed in detail below. Further, we’re publishing an IDA decoder script to aid fellow researchers.
Vawtrak (aka Neverquest) is a modularized banking trojan active since at least 2013. Banking trojans are malware designed to steal your credentials through various methods (harvesting, keylogging, Man-In-The-Browser, etc.). Historically, Vawtrak has been broken down into “projects” by researchers; the current campaign is referred to as Vawtrak project id: 82.
Vawtrak has been observed being pushed both by Angler Exploit Kit and spam campaigns utilizing many delivery mechanisms. In this campaign, the malware utilizes a macro document that drops and executes an embedded executable file, the downloader H1N1, which then downloads a pony dll and Vawtrak. It has a larger target list when compared to other banking trojans (See “Project 82 Targets” below), includes a tested and expansive webinject system, and comes with at least five modules that are commonly downloaded in both 32- and 64-bit variety: injecter_(32|64).dll, dg_(32|64).dll, keylog_(32|64).dll, pony_(32|64).dll and bc_(32|64).dll.
Once Vawtrak makes it to disk, it commonly uses the same loader program to inject the AP32 compressed DLL, depending on whether the system is 32- or 64-bit architecture.
1. The strings are encoded using a linear congruential generator (LCG) fed by a psuedorandom number generator (PRNG) (#4 and #5). The strings in this loader were encoded the same way as the dll strings.
Decoded strings
cookingwithme[.]date
GET /?id=%0.8X00%0.4X
Host: %s
https:// %s/?id=%0[.]8X01%0[.]4X
ns#Sophos#AgentSv#McTray#avp#fshoster32#egui#dwengine#vsserv#avgidsagent#Avira.ServiceHost#AvastSvc
2. The traffic pattern generated with these strings is not a normal Vawtrak traffic pattern. Typically, traffic would be generated by the injected dll and not the loader. If the domain resolves, then the loader generates the traffic pattern with swprintf after gathering some information about the system(VolumeID and adapter settings). In the case of this recent and updated version, the parameters passed to swprintf were in the wrong order and caused the loader to crash. This could be some sort of mechanism for trying to track new infections or, possibly, could be used to limit the loader to running only until that domain is activated.
Parameters in wrong order
Parameters fixed
Generated traffic
A Vawtrak sample later delivered by H1N1 on May 16, 2016 did not appear to contain this logic, which suggests that it’s being actively tested during development. However, the May 16 version used the domain found in the loader piece of the May 12 sample as a C2 domain.
3. Both samples contained the string of antivirus names. The loader enumerates the list of running processes, stripping off the ‘.exe’ of each one and then seeing if the name appears in that long string.
If the string is found, then it sets a flag and immediately begins searching for explorer.exe in an attempt to inject. To test, we spun up a fake Sophos program that appeared to have been injected as suspected. Once the DLL is injected, the malware patches certain functions in memory (CreateProcessInternalW and RegGetValueW) for every process it injects, with the patched in routine looking for Chrome-related objects. We didn’t see any signs of the malware attempting to do anything specific to the injected AV processes, but the functionality could be added in the future to disable or attempt to circumvent them in some way.
Vawtrak is one of the more advanced banking trojans used by cybercriminals today. The observed changes to the malware demonstrate continued development to circumvent detection and thwart AV protection mechanisms. Since Vawtrak began to gain strength late 2015, its target list has grown steadily. As Vawtrak development continues, we expect the target list to expand and additional techniques to be leveraged to infect systems.
View the IOCs on GitHub https://github.com/fideliscyber
MD5: 5238cd34caae600b3f592e2595aa6949
IOC
foundingcast[.]com/rss/feed/stream
dringeraout[.] com/rss/feed/stream
broilerona[.]com/rss/feed/stream
bookeranto[.]com/rss/feed/stream
vineriadana[.]com/rss/feed/stream
greyscrolling[.]com/rss/feed/stream
solidarepapero[.]com/rss/feed/stream
svenorta[.]com/rss/feed/stream
Webinjects:
Silvmafo[.]net
MD5: 6fad86a0fcc912f32474f6c7a86fe37a
IOC:
goodtrade[.]bid/rss/feed/stream
todaywith[.]date/rss/feed/stream
quicklinks[.]download/rss/feed/stream
beproudof[.]faith/rss/feed/stream
takeaphoto[.]loan/rss/feed/stream
oldblackman[.]party/rss/feed/stream
fastblackspeed[.]racing/rss/feed/stream
cangetyour[.]review/rss/feed/stream
epicsimple[.]science/rss/feed/stream
fastandeasy[.]trade/rss/feed/stream
seeyounow[.]webcam/rss/feed/stream
championinred[.]win/rss/feed/stream
chalengeforyou[.]win/rss/feed/stream
cookingwithme[.]date/rss/feed/stream
Adp.com
Americanexpress.com
Barclayswealth.com
Blilk.com
Blockchain.info/wallet/
Bankofamerica.com
Tdbank.com
Capitalonebank.com
Chase.com
Cibc.com
Citibank.com
Citi.com
Db-direct.db.com
Discoverbank.com
Etrade.com
Fidelity.com
Hmrc.gov.uk
Key.com
Lanb.com
Lloydsbank.co.uk
Bankofscotland.co.uk
Myapps.paychex.com
Netteller.com
Onlinebanking.pnc.com
Schwab.com
t-mobile.com
securentrycorp..*.com
usaa.com
vanguard.com
wellsfargo.com
westlaw.com
def PRNG(seed):
seed = (seed * 0x41c64e6d) + 0x3039
return (seed & 0xFFFFFFFF)
#Unpacked loader – Md5: 3678dc31a2be281fa7ed178d535364fb
for addr in XrefsTo(0x401a1b, flags=0):
#Unpacked dll – Md5: 54db3f86aabaf3e87016bcff923dba41
#for addr in XrefsTo(0x10007df8, flags=0):
addr = addr.frm
#print(hex(addr))
addr = idc.PrevHead(addr)
while GetMnem(addr) != “push”:
addr = idc.PrevHead(addr)
print(hex(addr))
#Get first param pushed which is address of domain
data_addr = GetOperandValue(addr,0)
init_seed = Dword(data_addr)
data_addr += 4
xork = Dword(data_addr)
data_addr += 4
length = (init_seed ^ xork) >> 16
out = “”
for i in range(length):
init_seed = PRNG(init_seed)
out += chr((Byte(data_addr) – (init_seed & 0xFF)) & 0xFF)
data_addr += 1
if out[-2:] == ‘x00x00’:
print(out.decode(‘utf16’))
else:
print(out)
addr = 0x1000f8a0
for i in range(10):
data_addr = Dword(addr)
addr += 4
init_seed = Dword(data_addr)
data_addr += 4
xork = Dword(data_addr)
data_addr += 4
length = (init_seed ^ xork) >> 16
out = “”
for i in range(length):
init_seed = PRNG(init_seed)
out += chr((Byte(data_addr) – (init_seed & 0xFF)) & 0xFF)
data_addr += 1
print(out)
-Jason Reaves, Threat Researcher