14 DAY TRIAL // Banking Trojan Vawtrak is continually evolving, with its authors finding new ways to evade detection and the methods used for communication, the latest approach being to use favicons to store the updated list of command and control servers and deliver it to the infected machine.
Favicons are icons displayed in browser tabs for the loaded websites in order to make browsing more comfortable and efficient. They are small image files, approximately 4KB in size.
Update C&C servers are in hidden in TOR
An analysis from AVG’s Jakub Kroustek revealed on Tuesday that the operators behind one version of Vawtrak now rely in some versions of the malware on digital steganography, a method that allows concealing data in images, such as text in favicons.
As such, the URLs to the command and control (C&C) servers is embedded in the icons’ least significant bits (LSB), without affecting the way they are displayed in the browser tab.
The update list with the live C&C servers reaches the victim’s computer only during browsing sessions, when the favicon with the extra information is retrieved, which is a regular activity.
Furthermore, Kroustek says that the update machines are located in Tor anonymity network and can be accessed via a Tor2Web proxy, meaning that no special software is necessary for the job, and that the favicons are encrypted.
The security researcher determined that the messages are digitally signed and checked for authenticity with a public key available in Vawtrak’s binary. “Only the correctly signed messages are accepted. Vawtrak probably tries to avoid hijacking of its botnet by someone sending a fake server list,” Kroustek says in his report.
Malware is spread through multiple malicious operations
Malicious campaigns delivering this piece of malware are frequent and telemetry data from AVG points to the Czech Republic, USA, UK, and Germany as the most affected countries since the beginning of the year.
However, security researchers from Heimdal Security have spotted an operation that started about a month ago, spreading the malware through drive-by attacks, mostly to users in Canada.
From data gathered by their systems, this campaign is responsible for about 15,000 infections, 90% of them located in Canada, based on the IP addresses.
The list of targets collected by the experts from the variant of Vawtrak analyzed included a total of 20 financial institutions (some of them major, with operations worldwide), all of them from Canada.
The security company said via email that users get infected by loading websites compromised through malicious advertisements that contain links to pages hosting the malware piece.
The sample caught by Heimdal Security is not less insidious than the one dissected by AVG, allowing the crooks to perform real-time web injections and to bypass two-factor authentication security procedure.