Vawtrak banking Trojan improved once again, now with SSL Pinning

Security experts from Fidelis firm spotted a new version of the Vawtrak banking Trojan that includes significant improvements such as the SSL pinning.

Malware researchers from security firm Fidelis have spotted a new strain of the infamous Vawtrak banking Trojan that leverages on a DGA mechanism to generates .ru domains with a pseudorandom number generator (PRNG) discovered in the loader.

Vawtrak, aka Neverquest, has been around for several years, it was used by criminal organizations to target online banking customers worldwide.

The new variant of the Vawtrak banking trojan includes new significant improvements such as the use of the HTTPS protocol to protect communication with the control infrastructure. The threat leverages on certificate pinning which isn’t so common for malware.

The SSL pinning provides an addition level of protection against man-in-the-middle attacks, in the specific case, the certificate pinning is implemented to avoid detection of security solutions that use their own certificates to inspect the traffic.

The new variant of the Vawtrak banking Trojan conducts some checks based on the Common Name, in this way the threat is able to establish connections only to legitimate C2 servers.

“This new Vawtrak DLL contains code for performing an HTTPS connection as well, but it also performs some checks on the certificate it receives from the C2 server. It adds up all the characters in the Common Name and then divides the byte by 0x1a and adds 0x61, which should match the first character (Figure 5). It also uses a public key from the aforementioned initial inject header to verify the signature hash that was passed in the SubjectKeyIdentifier field of the certificate.” states the blog post published by the Fidelis firm.

The threat was delivered via both mass-spam campaigns, threat actors behind it also spread the malware through exploit kits.

“Vawtrak has been a very successful banking trojan, delivered via both mass-spam campaigns as well as through exploit kits. Keeping this in consideration, it’s not surprising that new features and techniques are being introduced.” continues the blog post. “The use of DGAs and TLS is widespread across various crime families, but SSL pinning is still rare,” 

Vawtrak is an efficient banking trojan thanks to the continuous improvements, the SSL pinning recently introduced represents a novelty in the banking malware landscape.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Vawtrak banking Trojan, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]