In the Shadows: Vawtrak Aims to Get Stealthier by adding New Data Cloaking | Proofpoint US By October 01, 2015 Darien Huss and Matthew Mesa Published: 2015-09-30 · Archived: 2026-04-05 13:08:28 UTC In what is likely to be a short-lived cessation in Dridex campaigns while the criminal proponents behind that malware scramble to find a new delivery channel, it appears as though other malware purveyors may be positioning themselves to take additional market share of the lucrative crimeware arena. One recent development saw Vawtrak, previously a second-tier banking and information stealing trojan, emerge with new capabilities -- most notably new methods for data encoding and changes to C2 communication that appear to be an attempt to improve on the malware’s detection evasion.   Part I: Attack Vectors and Infiltration Before it can leverage its new capabilities, Vawtrak must be delivered to a target. While attachment-based phishing remains a leading delivery vector, Proofpoint also observed exploit kit-based attacks (aka “drive-by downloads”) delivering this updated variant starting in late September. Attachment-Based Phishing Proofpoint observed several high volume email campaigns delivering the new Vawtrak variant.The emails claimed to have attachments that were faxes (Figure 1), subpoenas, price lists or financial reports in order to persuade the user to click on and open the attachment. The attachments contained macros from a service known as Xbagging or Bartalex1, which in turn downloaded the Pony malware dropper from a remote internet site. Pony then downloaded and executed the Vawtrak payload. https://www.proofpoint.com/us/threat-insight/post/In-The-Shadows Page 1 of 15 Figure 1. Email lure https://www.proofpoint.com/us/threat-insight/post/In-The-Shadows Page 2 of 15 Figure 2. Malicious attachment Proofpoint researchers have observed the following subjects and lures being used in the latest campaign to distribute the new variant of Vawtrak: Date Email Subject Lure Sept 17 Re: Re: defamation lawsuit Subpoena Sept 22 Re: Re: Re: Financial report Sept 23 Re: New offer Price list Sept 24 New 2 page(s) eFax from Fax Sept 28 New 3 page(s) eFax from Fax Sept 29 You have 1 new eVoice Voicemail (Callback: ) Voice message https://www.proofpoint.com/us/threat-insight/post/In-The-Shadows Page 3 of 15 Sept 30 You have 1 new eVoice Voicemail (Callback: ) Voice message Exploit Kit-Based Delivery Proofpoint researchers have also observed this Vawtrak variant distributed through the Angler exploit kit. In the example shown in Figure 3, we observed a malicious TDS which led to an instance of Angler EK downloading Bedep. Bedep then performed its usual routines (e.g., created a hidden desktop that engaged in ad-fraud via browsing and other botnet attacks), but also downloaded Vawtrak. Figure 3. Angler EK distributing Bedep -> Vawtrak Part II: Command & Control and Data Exfiltration -- Vawtrak gets an upgrade Understanding communication to C2 and malware configuration files can play an important role in organizations’ detection of malware and remediation thereof, enabling better assessment of the damage malware might have inflicted. The latest observed variant of Vawtrak has incorporated definitive changes designed to further thwart such efforts by defenders. Modified Encoding and Encryption As previous research has described2,3,4, Vawtrak has historically used an encoding method resembling a Vernam cipher to hide configuration files, suspicious strings and mask data exfiltrated to C2. In its latest incarnation, Vawtrak still uses a linear congruential generator (LCG) fed by a pseudorandom number generator (PRNG) to produce the key used to encrypt the data; however, the utilized PRNG function is now changed. The code below is a simplified version of the new PRNG algorithm written in Python: https://www.proofpoint.com/us/threat-insight/post/In-The-Shadows Page 4 of 15 def prng(seed):              return ((seed * 0x41C64E6D) + 0x3039 ) & 0xFFFFFFFF String Encoding String encoding utilizes LCG fed by the new PRNG algorithm, while the generated keys are then subtracted from each ciphertext byte to generate the plaintext string. The first DWORD in the encoded string is used as the seed, while that same value is XOR’ed against the second DWORD to calculate the size of the encoded string. The encoded string begins at the position after the second DWORD. Most suspicious strings in the unpacked Vawtrak DLL are encoded using this method. HTTP Beacons The HTTP traffic that is generated by Vawtrak to exfiltrate data to C2 is correspondingly changed, now drastically different in appearance as well as functionality. Figure 4 shows an example of the HTTP traffic generated by Vawtrak during the initial check-in with C2. Figure 4. Vawtrak HTTP C2 check-in PHPSESSID is used to transport an encoded RC4 key and additional data. The first 4-bytes of the decoded Cookie are used to RC4 encrypt the data contained in the POST’s client body. This variant of Vawtrak utilizes a binary structure for most of the data transmitted to C2, as can be seen in the decrypted network traffic in Figure 5. This same encoding method is used during the exfiltration of credentials. https://www.proofpoint.com/us/threat-insight/post/In-The-Shadows Page 5 of 15 Figure 5. Decrypted Vawtrak HTTP check-in Depending on what is being exfiltrated, LZMAT is sometimes used to compress the exfiltrated data prior to encryption. Figure 6 shows the decrypted HTTP client body during an American Express attempted login, but the data is not yet in its plaintext format as it has been compressed with LZMAT. Figure 7 illustrates the observed plaintext data after it has been decompressed using LZMAT. Figure 6. Decrypted but still compressed Vawtrak HTTP exfiltrated data Figure 7. Decompressed data from Figure 3 Config encoding This variant of Vawtrak typically receives a raw (no encoding) binary blob of data immediately after the initial check-in. This blob contains a binary structure that may contain separate segments, including but not limited to an encoded configuration, URLs for retrieving additional modules, and a URL for retrieving an updated version of itself. To decode the configuration file, Vawtrak first uses the exact same decoding method that is used to decode suspicious strings. Next, the configuration file is decompressed using LZMAT. After decompression, the configuration is contained in a binary data structure which contains several further encoded configuration segments. Figure 8 depicts the purpose of the first few bytes of this structure. https://www.proofpoint.com/us/threat-insight/post/In-The-Shadows Page 6 of 15 Figure 8. Decompressed encoded Vawtrak configuration The next and last layer of encoding that Vawtrak uses to protect its configuration is a simple substitution cipher, where the S-box is created using the same PRNG algorithm. Each individual inject, target URL, etc., is contained in its own structure and decoded separately. Storing Configuration In addition to decoding the configuration immediately upon receiving it, Vawtrak also stores the encoded configuration in the registry after adding an additional layer of encoding. First, the seed (first DWORD) is XOR’ed against the VolumeSerialNumber of the drive which contains the result from the Windows API function GetTempPath. Next, the entire encoded configuration is encoded further using the addition LCG algorithm. This value is then stored in the registry using an encoded key. We have observed this variant using the following registry keys denoting the configuration file: -”#0” -”#1” However, these keys are first encoded in a similar fashion as older variants, but are first XOR’ed against the VolumeSerialNumber. Figure 9 contains a screenshot of stored Vawtrak information, while the highlighted key contains the encoded configuration. https://www.proofpoint.com/us/threat-insight/post/In-The-Shadows Page 7 of 15 Figure 9. Vawtrak information stored in the Registry Retrieving Modules As mentioned in the previous section, when Vawtrak receives its configuration from C2 it may also receive a list of URIs that are targets to additional modules. Vawtrak spawns a new thread for each module it should retrieve. The module is first received in an encoded state, which is decoded using the same subtraction LCG algorithm described in the previous sections. The decoded module contains a RSA signature at the beginning, which is used to verify the integrity of the compressed module. In each of decompressed “modules” we have analyzed, they have all contained a x86 and x64 version of the module. Each module may then be decompressed separately depending on the architecture of the infected machine. So far we have only observed the following modules: [hxxp://185.66.10[.]57/module/9f3359a7b12ceea791a4afc21a971152 -> injecter_32.dll / injecter_64.dll] [hxxp://185.66.10[.]57/module/4c06c7a4c2bc6fb51cd998e9bbcf5846 -> dg_32.dll / dg_64.dll] [hxxp://185.66.10[.]57/module/221680f17a95443c798c701eff36cbe6 -> pony_32.dll / pony_64.dll] Retrieving Updates As previously mentioned, in addition to retrieving modules Vawtrak may also receive a URL target pointing to an “update.” The update is contained in a binary data structure similar to the modules’ structure; however, the seed is contained in the second DWORD instead of the first. A RSA signature is then contained in the next 0x80 bytes, while the encoded update is contained in the remaining bytes following the signature. The update may be decoded using the same LCG subtraction algorithm. The URLs containing updated DLLs can be found in Appendix A. https://www.proofpoint.com/us/threat-insight/post/In-The-Shadows Page 8 of 15 Web Injects and Stolen Data Vawtrak still functions similarly to previous versions regarding stealing data and web injects. In the sample’s configuration that we analyzed, several financial institutions and online services were targeted such as Amazon.com. For several of the organizations, a custom web inject was tailored to steal additional information beyond just login credentials. Victims attempting to login to Amazon were presented with the following credit card form (Figure 10) via Vawtrak’s web inject mechanism. Figure 10. Web injected fake Amazon.com credit card form Should a victim fill out this form, the credit card data along with their Amazon login credentials will be sent to the botnet operators via the method described in the HTTP Beacons section. Figure 11 shows the decrypted output that is delivered to the malware’s C2. Figure 11. Decrypted exfiltrated Amazon.com data Conclusion At least one threat actor has moved away from distributing Dyreza to instead distributing a new variant of Vawtrak that has undergone several notable changes, seemingly designed to make Vawtrak’s data transmissions stealthier. Those changes include: New PRNG algorithm for encryption key generation HTTP communication method to C2 and associated encryption for obfuscation https://www.proofpoint.com/us/threat-insight/post/In-The-Shadows Page 9 of 15 Configuration encoding Downloaded modules encoding Update modules encoding In the wake of Dridex’s disappearance, the authors of Vawtrak may be making a bid for market share. Whether they will succeed remains to be seen, but this latest offering is a sophisticated improvement and could better position them to fill the void left by Dridex and become the new leading tool in the banking trojan arena -- and as such, bears further study and monitoring from a defense perspective. Appendix A IDPS Detection ET Pro signatures: 2813059,2813060,2814111,2814112,2814150 IOCs Macro Office documents leading to Vawtrak: 26a92873992b5a674ea953131a4effc119dee0bc74da8ffa43f4d8de7df3c169 93941f506feca505510b60d3ccaea8127a6450836642e97bf936b8875777e26b 120d5320a59a86f9b3e0774609a3f0773d76a7d66689525a023bee7f8666f2eb b6441a6ea25a4ea5cb38f9f186805501379ceb132cfe8907d174e00dab8526ec 6741e88fcd83fe32a8731d0714fba500ea6a3d9735b3829d51aeb7478061d93d 7683afa68bf176249dfc61c5e3bf455dabc9d8b0696d6f8952d72ebb5500a798 78ceb2dbbd39831f84c6fe50742a778cb4610fb02c06072de02e798692279ae4 9337b6c7f6f4f300ebd11813dc6fe5a9646f394541139c96af27f45e1bb7eec2 1eaac96f675fd29b06beed67cb89d5862183659a071062ca9440c46dc69b5a58 0b9b361aaab7baa0ae49c0234d78bcb7cfbd0e529eeda1b126ef08a3b3e0ae89 2f87d666915cc345ae8ac57c5b975163828c2923cdfabc3cf436ebca50346eb0 b5681046f8a571f4fde991e349356e078498f1afb3d2a31a549df65b01ba6de7 eabbcb1af0022dbf1a0b4465e73b6c98458c3c3887b06df13c893a9413556011 606a489df381a8cc3fb43b8ca3b763c61ff91328aa39fa9be167c428d587c1bc 3ffbe191d9326f97db4ffaf6b294c166397bf1c77d28e2ab44d41fca511ce55b https://www.proofpoint.com/us/threat-insight/post/In-The-Shadows Page 10 of 15 3d1e7e54db786c6aef572d1ef57ad1c26413aacbf2fd91eb700d469c550dd4df Xbagging/Bartalex additional code downloads: [hxxp://pomona[.]pl/wp-content/plugins/wp-db-backup-made/5716367236.txt] [hxxp://funsockfriday[.]com/wp-content/cache/db/000000/all/cd0/2a7/5716367236.txt] [hxxp://pomona[.]pl/wp-content/plugins/wp-db-backup-made/pipi.txt] [hxxp://funsockfriday[.]com/wp-content/cache/db/000000/all/cd0/2a7/pipi.txt] [hxxp://admtorg[.]ru/wp-includes/js/tinymce/plugins/compat3x/css/5716367236.txt] [hxxp://ozgencfutbolokulu[.]com/wp-content/plugins/wp-db-backup-made/5716367236.txt] [hxxp://admtorg[.]ru/wp-includes/js/tinymce/plugins/compat3x/css/pipi.txt] [hxxp://ozgencfutbolokulu[.]com/wp-content/plugins/wp-db-backup-made/pipi.txt] [hxxp://unmaskedman[.]com/wp-content/themes/unmaskedman/assets/sass/layouts/pages/5716367236.txt] [hxxp://ssgc[.]co/wp-content/uploads/cache/remote/www-abc-net-au/5716367236.txt] [hxxp://unmaskedman[.]com/wp-content/themes/unmaskedman/assets/sass/layouts/pages/pipi.txt] [hxxp://ssgc[.]co/wp-content/uploads/cache/remote/www-abc-net-au/pipi.txt] [hxxp://shaliniandamar[.]com/wp-content/tfuse_bk_just-married-parent_2015-04- 20/theme_config/extensions/slider/designs/round/static/images/5716367236.txt] [hxxp://kingmanmobile[.]com/wp-content/plugins/essential-grid/admin/assets/js/mode/5716367236.txt] [hxxp://shaliniandamar[.]com/wp-content/tfuse_bk_just-married-parent_2015-04- 20/theme_config/extensions/slider/designs/round/static/images/pipi/txt] [hxxp://kingmanmobile[.]com/wp-content/plugins/essential-grid/admin/assets/js/mode/pipi.txt] [hxxp://dillardvideo[.]com/wp-admin/network/5716367236.txt] [hxxp://diputacion[.]ardinova[.]com/wp-admin/images/screenshots/5716367236.txt] [hxxp://dillardvideo[.]com/wp-admin/network/pipi.txt] [hxxp://diputacion[.]ardinova[.]com/wp-admin/images/screenshots/pipi.txt] [hxxp://diy-router[.]com/wp-includes/css/5716367236.txt] [hxxp://depositionstream[.]com/scripts/img/5716367236.txt] [hxxp://diy-router[.]com/wp-includes/css/pipi.txt] https://www.proofpoint.com/us/threat-insight/post/In-The-Shadows Page 11 of 15 [hxxp://depositionstream[.]com/scripts/img/pipi.txt] Pony downloads: [hxxp://freshbox[.]pl/przypomnienie_lss/WEFiles/Client/jQuery/Plugins/s1.exe] [hxxp://petalsbythechesapeake[.]com/wp-content/themes/x/framework/scss/site/stacks/integrity/inc/s1.exe] [hxxp://longcroftcarehome[.]com/wp-content/themes/Impreza/s1.exe] [hxxp://glovestix[.]com/wp-content/plugins/woocommerce-subscriptions/lib/action-scheduler/tests/phpunit/jobstore/s1.exe] [hxxp://datanetsolution[.]com/ujksew1/templates/s1.exe] [hxxp://dominamarketingporinternet[.]com/wp-admin/user/s1.exe] Pony hashes: 3fbffc12ddeedff72e0d73e48965a9bebabe4a527b1ebc030bbbf756ce3d3740 cbaa784cba00750ae5d46aa242fe7337022317ac3d4e02906c9068140532de00 c1afb96d2a3b436444313fde02d103ff86f9b68d7e2ca3151b64cb7caa3696cd a2ba57cec0392cbe781ed67f3ed3ec38f9aaa1e6a232536bcddba171889b9ece 6f8901cbe86e0633b75d772ac7b888d9f9fec7f0eff1c5c12adf1b1b20b86bd9 a33f5441949760569756062788077391d5a3611c6cb35a3c97ef76821261d2c8 3de2503dfdc3d108da6676565612ac8bbfc4317026fdcf99543c0de5301f4e82 Pony Gates: [hxxp://dicalburep[.]ru/gate.php] [hxxp://toldwassmause[.]ru/gate.php] [hxxp://uthatinuse[.]ru/gate.php] [hxxp://paughesdidn[.]ru/gate.php] [hxxp://rectalrenlo[.]ru/gate.php] [hxxp://ritoftwithhers[.]ru/gate.php] [hxxp://rindititred[.]ru/gate.php] [hxxp://wassfethefa[.]ru/gate.php] [hxxp://kerehiled[.]ru/gate.php] https://www.proofpoint.com/us/threat-insight/post/In-The-Shadows Page 12 of 15 [hxxp://ropaketsed[.]ru/gate.php] [hxxp://utrewserat[.]ru/gate.php] [hxxp://joorrolwas[.]ru/gate.php] [hxxp://fortthenranled[.]ru/gate.php] [hxxp://harlosion[.]ru/gate.php] [hxxp://onerophegre[.]ru/gate.php] [hxxp://duorgoho[.]ru/gate.php] [hxxp://idwigalitt[.]ru/gate.php] [hxxp://robbetotso[.]ru/gate.php] [hxxp://ledrewharte[.]ru/gate.php] [hxxp://dotindintres[.]ru/gate.php] [hxxp://tetotgane[.]ru/gate.php] Vawtrak downloads: [hxxp://oka-dentalshop[.]com/system/logs/k1.exe] [hxxp://9.rent-shops[.]ru/system/logs/k1.exe] [hxxp://hubsportsmed[.]com/system/logs/k1.exe] [hxxp://xn--80aa8argd0e[.]xn--80aswg/system/logs/k1.exe] [hxxp://www[.]brindesgama[.]com[.]br/system/logs/k1.exe] [hxxp://mysocceruniforms[.]com/system/logs/k1.exe] [hxxp://worldhealthsupply[.]com/system/logs/k1.exe] [hxxp://errors-seeds[.]cz/system/logs/k1.exe] [hxxp://bloomgifts4u[.]com/system/logs/k1.exe] [hxxp://plan[.]computer-repair[.]org[.]ua/system/logs/k1.exe] [hxxp://wildcardzwincanton[.]bricks-and-clicks[.]co[.]uk/system/logs/k1.exe] [hxxp://kosikyhana[.]sk/system/logs/k1.exe] [hxxp://electro-cablaj[.]ro/system/logs/m1.exe] https://www.proofpoint.com/us/threat-insight/post/In-The-Shadows Page 13 of 15 [hxxp://juuze[.]demowebsite[.]net/system/logs/m1.exe] [hxxp://wierdensewijnhandel[.]nl/system/logs/m1.exe] [hxxp://globalshow[.]com[.]ua/system/logs/m1.exe] [hxxp://chackochacko[.]com/system/logs/m1.exe] [hxxp://es[.]healthyliverplus[.]com/system/logs/m1.exe] [hxxp://boxx96[.]com[.]br/system/logs/m1.exe] [hxxp://store[.]lumos[.]my/system/logs/m1.exe] [hxxp://pudore[.]com[.]my/system/logs/m1.exe] Vawtrak hashes from email: a0b3bef0804ca6fb0dd7ab180f6cc38fa1ef4c247d152eaecf9081729cb2b158 afdebec93fd6e133e24809e7b476927f7403a119c428698645abd0e380048f6a 4d47396e1e9c7538c59da8b5574fb8f208154cdfc6590e33b74b7e9feada7584 d3ccde340b36b55dc2db2abc323f728a8c135b8d27ec18f2afc756675008b511 caac605b2d5dec2ec314eb0a9f9273595935791509df27f599402a92beb107b9 5B0E4024C12E21CA5F7552A555DC20499FD7A439A669C963AB5D02227CC1BE9A 2350F4617102C51542682219761E7A3E2CD6EFD7529599DBC579AC6882C0343E Vawtrak hashes from Angler EK chain: 75db66d0aaff0d6adc4bedcb652ae041071852fbb550d5c3446502de29246c3d Vawtrak c2: [hxxp://ninthclub[.]com/Work/new/index.php] [hxxp://camelcap[.]com/Work/new/index.php] [hxxp://ideagreens[.]com/Work/new/index.php] [hxxp://guesstrade[.]com/Work/new/index.php] [hxxp://castuning[.]ru/Work/new/index.php] [hxxp://mgsmedia[.]ru/Work/new/index.php] Vawtrak module downloads: https://www.proofpoint.com/us/threat-insight/post/In-The-Shadows Page 14 of 15 [hxxp://185.66.10[.]57/module/9f3359a7b12ceea791a4afc21a971152] [hxxp://185.66.10[.]57/module/4c06c7a4c2bc6fb51cd998e9bbcf5846] [hxxp://185.66.10[.]57/module/221680f17a95443c798c701eff36cbe6] Vawtrak update downloads: [hxxp://185.66.10[.]57/upd/2] [hxxp://185.66.10[.]57/upd/3] [hxxp://185.66.10[.]57/upd/4] [hxxp://185.66.10[.]57/upd/5] Vawtrak updates, decoded (respectively): 6ca5edee52615821bd25f6872b86ccb61329d047c9de8817c8fea17679076eda 592a84f6c913e8bdccabf3d4a36deb0844d037ca3aa19029755d2d658c873c04 75ff95ef4cdf7511264df09daa93f44e72acfc5084c4f058071ddd2fc8ad2d09 b7475a729083a11b8e99ae7a293807b6e35fa4c2735789847afdee97eddfb904 Analyzed Vawtrak Dropper: 7e7d0557cc95e3f509f71a72aad9b8ab85d6a681df4a46e1648e928a4be5f4be Analyzed unpacked Vawtrak x86 DLL: 1818967235b1e86f9b5e956ab55e1fb47ea44c6579c91e9a48d8bd428f14f165 References 1.https://www.proofpoint.com/sites/default/files/documents/bnt_download/pp-macroeconomics-rr.pdf 2.http://now.avg.com/wp-content/uploads/2015/03/avg_technologies_vawtrak_banking_trojan_report.pdf 3.https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-vawtrak-international-crimeware-as-a-service-tpna.pdf 4.https://www.virusbtn.com/virusbulletin/archive/2015/01/vb201501-Vawtrak Source: https://www.proofpoint.com/us/threat-insight/post/In-The-Shadows https://www.proofpoint.com/us/threat-insight/post/In-The-Shadows Page 15 of 15