{
	"id": "5f7c959e-aa67-40e5-a6b5-aa32ce3e50b7",
	"created_at": "2026-04-06T01:30:42.02694Z",
	"updated_at": "2026-04-10T03:21:02.818913Z",
	"deleted_at": null,
	"sha1_hash": "52a1d4fcb045d1b3eb509f431939603783e05deb",
	"title": "Chanitor Downloader Actively Installing Vawtrak | Zscaler",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 735109,
	"plain_text": "Chanitor Downloader Actively Installing Vawtrak | Zscaler\r\nBy ThreatLabz\r\nPublished: 2015-01-09 · Archived: 2026-04-06 00:34:47 UTC\r\nWe at ThreatLabZ are keeping an eye on a fairly active downloader called Chanitor. This malware is being\r\ndelivered via phishing emails purporting to be \"important\" documents, for example, voicemails, invoices, and\r\nfaxes; all are actually screensaver executables with the extension ‘.scr’. Another unique feature of this downloader\r\nTrojan family is the usage of tor2web.org and tor2web.ru over SSL for its Command \u0026 Control (C2)\r\ncommunication.\r\n \r\nUpon execution, Chanitor copies itself to ‘%APPDATA%\\Roaming\\Windows\\winlogin.exe’ by running the\r\nfollowing command:\r\ncmd /D /R type \"C:\\\r\n\\winlogin.exe\" \u003e ___ \u0026\u0026 move /Y ___ \"C:\\Users\\\\AppData\\Roaming\\Windows\\winlogin.exe\"\r\nIt then waits for a few seconds before deleting the original file, and executes the copy via the following command:\r\n \r\ncmd /D /R ping -n 10 localhost \u0026\u0026 del \"C:\\\r\n\" \u0026\u0026 start /B \"\" \"C:\\Users\\\\AppData\\Roaming\\Windows\\winlogin.exe\" \u0026\u0026 exit\r\n \r\nOnce the command executes, it creates a registry entry for persistence:\r\nChanitor encrypts some key components like C2 server locations that is decrypted only when used on run time.\r\nFor example, \"tor2web.org\" is decrypted using a xor loop:\r\nhttps://www.zscaler.com/blogs/research/chanitor-downloader-actively-installing-vawtrak\r\nPage 1 of 5\n\nThe next step is enumeration of functions for making outbound SSL connections and making connections to the\r\ncommand and control server. These connections are shown in the screenshot below.\r\n \r\nThe first connection (#1 above) is to retrieve the public IP of the infected host. The success or failure of this\r\nrequest isn’t checked though, so the next request happens regardless. This request (#2) is a beacon to the\r\ncommand and control server on TOR via tor2web.org. Chanitor uses SSL for all communication and beacons via\r\nPOST requests to /gate.php. If the request is successful, the C2 server will provide further instructions which\r\nduring our analysis was to download additional binary payload. The download is shown in session #3 above. Once\r\nthe download finishes, there is a subsequent beacon which presumably means success (#4). Strangely enough,\r\nthere is a failed request to tor2web.ru (#5). This domain does not exist, so the purpose of this request is unknown.\r\nThe screenshot below shows detail of the initial beacon (#2) and server response to download a stage 2 binary:\r\nEach beacon takes the following form:\r\n{\r\n}}}\r\nIf the request to api.ipify.org is unsuccessful, the IP address will be the machine's RFC1918 address instead of a\r\npublic IP. The C2 server replies with an instruction to download a file (highlighted in red above) and the download\r\nhttps://www.zscaler.com/blogs/research/chanitor-downloader-actively-installing-vawtrak\r\nPage 2 of 5\n\nis initiated immediately. The beacon information, with the exception of the IP address, is also stored in the\r\nregistry:\r\nAfter downloading and reporting success, the original binary will then sleep for approximately 5 minutes (there's\r\nsome variation for slightly longer and slightly shorter) before beaconing again:\r\nDownloaded Binary\r\nThe downloaded binary is a dropper Trojan and is saved as C:\\Users\\\\AppData\\Local\\Temp\\__.exe. Chanitor will\r\nrun the downloaded payload via the following command:\r\ncmd /D /R start /B \"\" \"C:\\Users\\\r\n\\AppData\\Local\\Temp\\___16AE.exe\" \u0026\u0026 exit\r\nUpon execution, the binary checks for the presence of a debugger. If no debugger is found, the binary then\r\nunpacks an embedded DLL and writes it to disk. This DLL is a new variant of the Vawtrak Trojan.\r\n \r\nhttps://www.zscaler.com/blogs/research/chanitor-downloader-actively-installing-vawtrak\r\nPage 3 of 5\n\nThe DLL is registered with regsvr32.exe via the following command to ensure persistence:\r\nThe Vawtrak dropper Trojan then deletes itself from the target system. The Vawtrak dropper binary and the DLL\r\nare compressed using aPLib v1.01 library as seen below:\r\nVawtrak, also known as NeverQuest and Snifula, is a powerful information stealing backdoor Trojan that has been\r\ngaining momentum over past few months. It primarily targets user's bank account via online banking websites.\r\nIndicators of Compromise\r\nC2 Domains\r\nhttps://svcz25e3m4mwlauz.tor2web[.]org/gate.php\r\nhttps://ho7rcj6wucosa5bu.tor2web[.]org/gate.php\r\nhttps://o3qz25zwu4or5mak.tor2web[.]org/gate.php\r\nhttps://lctoszyqpr356kw4.tor2web[.]org/gate.php\r\nFile Locations\r\nC:\\Users\\\r\nhttps://www.zscaler.com/blogs/research/chanitor-downloader-actively-installing-vawtrak\r\nPage 4 of 5\n\n\\AppData\\Roaming\\Windows\\winlogin.exe\r\nC:\\ProgramData\\TigaPjopw\\VofcOhhel.zvv -- these names appear random\r\nC:\\Users\\\r\n\\AppData\\Local\\Temp\\~004BFD62.tmp -- this name appears random\r\nC:\\Users\\\r\n\\AppData\\Local\\Temp\\___16AE.exe -- this name appears random\r\nConclusions\r\nThe samples collected date back to the beginning of October 2014 and have changed in measurable ways over the\r\npast few months. The first samples would not run on Windows 7 unless in compatibility mode, required\r\nadministrative privileges, and did not have icons that matched the purported filetype or theme, but the recent\r\nsamples have evolved to run without errors and appear to be more refined. We attempted to contact tor2web at\r\nabuse@tor2web.org\r\nand at\r\ninfo@tor2web.org\r\nand received bouncebacks followed a few days later by a delivery failure notification. Since the C2 servers are\r\nhosted on TOR, tracking the individuals behind this campaign may prove difficult, but blocking access to tor2web\r\nwould be effective for the time being.\r\nSource: https://www.zscaler.com/blogs/research/chanitor-downloader-actively-installing-vawtrak\r\nhttps://www.zscaler.com/blogs/research/chanitor-downloader-actively-installing-vawtrak\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/research/chanitor-downloader-actively-installing-vawtrak"
	],
	"report_names": [
		"chanitor-downloader-actively-installing-vawtrak"
	],
	"threat_actors": [],
	"ts_created_at": 1775439042,
	"ts_updated_at": 1775791262,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/52a1d4fcb045d1b3eb509f431939603783e05deb.pdf",
		"text": "https://archive.orkl.eu/52a1d4fcb045d1b3eb509f431939603783e05deb.txt",
		"img": "https://archive.orkl.eu/52a1d4fcb045d1b3eb509f431939603783e05deb.jpg"
	}
}