• Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
HackRead
  • April 20th, 2021
  • Home
  • Advertise
  • Privacy Policy
  • Contact Us
HackRead
  • Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
  • Follow us
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
Home
Hacking News
News

Hackers Hiding Vawtrak Banking Malware Command Servers in Tor

June 11th, 2015 Waqas Malware, News 0 comments
Hackers Hiding Vawtrak Banking Malware Command Servers in Tor
Share on FacebookShare on Twitter

Some versions of Vawtrak banking Malware or Neverquest have been discovered to be having hidden command and control servers at Tor anonymity network — This reveals why the cybercriminal operation has become so difficult to detect and disrupt nowadays.

Many versions of Vawtrak Banking Malware depend upon hard-coded IP addresses for their command and control operations. However, this approach makes the domains (that are used to transfer commands to the compromised and infected machines) relatively easier to identify through threat analysis techniques.

[must url=”https://www.hackread.com/teslacrypt-alphacrypt-malware-ransomware/”]TeslaCrypt looks like AlphaCrypt Malware uses TOR to transfer ransomware[/must]

vawtrak-banking-malware-servers-tor

Another technique for improving the resiliency of Vawtrak Malware involves a DGA or domain generation algorithm. DGA creates a set of domain names that the malware uses to receive commands.

Only a small ratio of these domains is registered by cyber criminals on the web because Vawtrak checks every name until the required response is achieved.

Fortinet’s Raul Alvarez explains the way this piece of malware works. According to Alvarez, Vawtrak’s code involves multiple DWOTD values, which match different domain titles.

In his blog post, Alvarez stated:

“Each DWORD value is a seed used to generate the domain name. These seeds are stored as fixed values within the malware code, thereby producing the same pseudo-randomized domain names. To generate the corresponding domain name, Vawtrak uses the seed to generate the pseudo-randomized characters of the domain name.”

However, researchers can easily find the generated strings by breaking the algorithm and therefore, this is not a fallible technique.

The newer versions of the threat depend upon Tor2Web. It is a proxy that creates a direct link to a Tor server without using additional tools.

Strings that get created by the DGA are for Tor locations and a function has been implemented by the author that transfers then across the Tor2Web proxy service.

It is although possible to trace the user who tries to connect to this proxy service however, the connections made afterwards aren’t traceable. It happens so because Tor’s traffic is encrypted and it uses various machines to route it. These machines don’t keep any data of traffic including its origin and destination. Therefore, users are able to access a server with complete anonymity.

Vawtrak Malware involves multiple protection mechanisms for instance, disabling antiviruses, which is why it manages to evade detection and analysis. Once a machine is compromised it can pilfer personal data and record user activity or actions such as screenshots, keystrokes and videos.

The operator of Vawtrak can remotely access the system via a VNC channel. The operator can easily modify web sessions by injecting fake content for collecting passwords of online bank accounts, as well as all the other codes, require for accessing those accounts.

[src src=”source” url=”http://blog.fortinet.com/post/vawtrak-uses-tor2web “]Fortinet[/src]

  • Tags
  • Banking
  • Cyber Criminals
  • Malware
  • Money
  • security
  • Tor
Facebook Twitter LinkedIn Pinterest
Previous article Even the Best isn’t Safe: World’s Leading Cybersecurity Firm Kaspersky Hacked
Next article France Believes Russia Hacked TV5Monde Posing as ISIS Hackers
Waqas

Waqas

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Related Posts
WhatsApp Pink is malware spreading through group chats

WhatsApp Pink is malware spreading through group chats

1-click code execution vulnerabilities in popular software apps

1-click code execution vulnerabilities in popular software apps

Unpatched MS Exchange servers hit by cryptojacking malware

Unpatched MS Exchange servers hit by cryptojacking malware

Newsletter

Get the best stories straight into your inbox!



Don’t worry, we don’t spam

Latest Posts
REvil ransomware gang hits Apple supplier Quanta; warns of data leak
Cyber Crime

REvil ransomware gang hits Apple supplier Quanta; warns of data leak

Hackers claims to be selling 13tb of Domino’s India data
Hacking News

Hackers claims to be selling 13tb of Domino’s India data

WhatsApp Pink is malware spreading through group chats
Security

WhatsApp Pink is malware spreading through group chats

HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.

Follow us