Senior AVG developer Jakub Kroustek found that this constantly evolving piece of financial malware that uses fairly typical API hooking and injection techniques to steal login credentials, financial data, private keys and ultimately execute transactions from compromised accounts is anything but typical upon closer examination.
In a white paper which goes into some depth regarding the technologies implemented by Vawtrak, Kroustek shows this variant has been using steganography to hide update files in tiny 4Kb encrypted favicon graphics that are in turn distributed using the Tor network via a proxy. This use of steganography, where data can be hidden inside the white space (or Least Significant Bits as this is known) of image files without being detected, has allowed Vawtrak to embed command and control server URLs.
The use of a Tor2Web proxy enables the updater machines to be accessed without the use of a Tor browser, and because the update list is only sent when the target computer is being used for browsing the favicon activity is seen as normal. Of course, the communication with the remote server is also done across SSL to add another layer of encryption into the mix.
Kroustek reckons that this particular Vawtrak variant is remarkable as it displays numerous functions that can be executed on the target machine including both online and local password theft, code injection into user-displayed web pages, key logging, screenshot and video capture, as well enabling remote access via VNC and SOCKS.
“In recent years, the Tor hidden services are being increasingly misused by malware authors. They use this darknet for transmission of their data and hiding the botnet communication with command-and-control (C&C) servers. Furthermore, such hidden C&C servers are harder to take down than the regular ones," Kroustek told SCMagazineUK.com, continuing, "the main disadvantage of a direct communication with the Tor network is a need to distribute a Tor-client component along the malware."
A method to overcome this limitation was first spotted being used by the CryptoLocker ransomware which also used the Tor2Web proxy to provide direct access to hidden .onion pages without a need of any additional installed components. Vawtrak uses this proxy to access its configuration data. "As we observed in our analysis" Kroustek goes on "Vawtrak has evolved and it tries to stay undetected while downloading its configuration data. It uses steganography for storing these configurations deep inside of a server's web page icon (favicon). Such information is almost impossible to notice by a naked eye or network traffic analyser.”
Meanwhile, James Maude, who is a security engineer at Avecto, warned SC readers that although the use of steganography is nothing new, "Vawtrak combines it with other features to create a formidable threat that is capable of remaining undetected for long periods. This layered approach makes it very difficult for traditional defences to detect malicious content entering the organisation." The fact that Vawtrak already contained functions to disable AV and other defences on the endpoint in earlier variants confirms that it is evolving. "By hiding content in images," Maude concludes, "Vawtrak seeks to bypass the network defences as well."
Jerome Segura, senior security researcher at Malwarebytes, agrees that as Vawtrak gets more sophisticated and spreads to new countries it's a sign that it's one of the top threats to be on the lookout for at the moment. "The use of encryption to transmit data coupled with steganography, a means to conceal data, is going to make it more difficult for enterprises to detect malicious activity inside their network," Segura says, adding, "security at the endpoints and user awareness remain crucial to stop this piece of malware, with particular extra vigilance needed around phishing emails containing booby-trapped documents or malicious links."
In related news, researchers at Spanish security outfit S21sec have spotted a new banking Trojan targeting Polish users. The 'Slave' Trojan uses JSON formatted webinjects rather than the more typical Zeus-like ones, which is yet more evidence that this infection sector is looking to move forward in terms of threat evolution.