Some versions of Vawtrak banking Malware or Neverquest have been discovered to be having hidden command and control servers at Tor anonymity network — This reveals why the cybercriminal operation has become so difficult to detect and disrupt nowadays.
Many versions of Vawtrak Banking Malware depend upon hard-coded IP addresses for their command and control operations. However, this approach makes the domains (that are used to transfer commands to the compromised and infected machines) relatively easier to identify through threat analysis techniques.
Another technique for improving the resiliency of Vawtrak Malware involves a DGA or domain generation algorithm. DGA creates a set of domain names that the malware uses to receive commands.
Only a small ratio of these domains is registered by cyber criminals on the web because Vawtrak checks every name until the required response is achieved.
Fortinet’s Raul Alvarez explains the way this piece of malware works. According to Alvarez, Vawtrak’s code involves multiple DWOTD values, which match different domain titles.
In his blog post, Alvarez stated:
“Each DWORD value is a seed used to generate the domain name. These seeds are stored as fixed values within the malware code, thereby producing the same pseudo-randomized domain names. To generate the corresponding domain name, Vawtrak uses the seed to generate the pseudo-randomized characters of the domain name.”
However, researchers can easily find the generated strings by breaking the algorithm and therefore, this is not a fallible technique.
The newer versions of the threat depend upon Tor2Web. It is a proxy that creates a direct link to a Tor server without using additional tools.
Strings that get created by the DGA are for Tor locations and a function has been implemented by the author that transfers then across the Tor2Web proxy service.
It is although possible to trace the user who tries to connect to this proxy service however, the connections made afterwards aren’t traceable. It happens so because Tor’s traffic is encrypted and it uses various machines to route it. These machines don’t keep any data of traffic including its origin and destination. Therefore, users are able to access a server with complete anonymity.
Vawtrak Malware involves multiple protection mechanisms for instance, disabling antiviruses, which is why it manages to evade detection and analysis. Once a machine is compromised it can pilfer personal data and record user activity or actions such as screenshots, keystrokes and videos.
The operator of Vawtrak can remotely access the system via a VNC channel. The operator can easily modify web sessions by injecting fake content for collecting passwords of online bank accounts, as well as all the other codes, require for accessing those accounts.