The Vawtrak malware that gained fame in attacks against banks and other financial institutions now has been updated. The attack tool has been used successfully in various attacks since it’s inception. Its developers have added a new domain generation algorithm (DGA) and SSL pinning capabilities to their creation. All points to the speculation that the criminals who are behind this sophisticated software are gaining solid income.
The Complexity of Vawtrak
Vawtrak is famous for its complexity. In January security experts analyzed in detail the malware’s code. The resulting data showed that the Trojan is built in several layers that are organized by level of complexity. Vawtrak’s behavior is set to execute complex steps – decrypting blocks of data, calling binaries and using the built-in rich feature set. The malicious operations are carried in the Trojan’s virtual memory space.
Covert tactics are used as the malware fools the users by dropping an image file, this action is executed to misdirect the victim’s attention. While their attention is directed to the graphics file, the malware removes software protection features and hides itself from antimalware applications. Once Vawtrak has been deployed it creates registry entries to ensure it’s activation upon computer restarts.
The virus is used against social media networks, retail stores, and online gaming portals. Its modifications have been to eavesdrop on banking sessions, modify web traffic data, overcome encryption setups and steal sensitive data. Banks and financial institutions are one of the biggest targets of the Trojan.
Vawtrak’s New Features
In its most recent update, the Trojan has been updated with a new domain generation algorithm and SSL pinning capabilities. The DGA uses a pseudorandom number generator that has is part of its loader. The developers have integrated this feature in a very efficient way as it is coded in a very optimized way. The compiler optimizations used guarantee faster performance and more successful attacks as the newest iteration uses a complex algorithm instead of hardcoded domains. Security experts note that automated protection systems are not very effective against such measures.
The SSL pinning feature gives Vawtrak the ability to evade scenarios where an SSL man-in-the-middle agents are placed in the network. Such measures are typical in corporate environments where a lot of network equipment to organize the network layout.
Vawtrak is spread through mass spam campaigns and exploit kits. As these new features are distributed among malicious users security experts and large corporations should be concerned by the potential damage Trojans such as this one may incur. The SSL pinning feature is not very typical for complex malware like Vawtrak, and that makes it even more dangerous.