Vawtrak Banking Malware Hides Its Servers in Tor

Posted on

Some variants of Vawtrak banking Trojan, also known as Neverquest, have been found to hide their command and control (C&C) servers in Tor anonymity network, making the cybercriminal operation more difficult to disrupt.

Most versions of the malware rely on hard-coded IP addresses for the C&C, but this approach makes the domains used to deliver commands to the infected machine easy to discover via threat analysis techniques.

DGA is not foolproof

A different mechanism for making Vawtrak more resilient to takedown efforts involves a domain generation algorithm, which creates a set of domain names the malware contacts to receive commands.

Cybercriminals register only a small number of them because Vawtrak will check each of them until the appropriate response is received.

Raul Alvarez from Fortinet explains how the process works for this piece of malware, saying that Vawtrak’s code includes multiple DWORD values matching different domain names.

Vawtrak Banking Malware Hides Its Servers in Tor
Vawtrak Banking Malware Hides Its Servers in Tor

“Each DWORD value is a seed used to generate the domain name. These seeds are stored as fixed values within the malware code, thereby producing the same pseudo-randomized domain names. To generate the corresponding domain name, Vawtrak uses the seed to generate the pseudo-randomized characters of the domain name,” he says in a blog post.

However, this technique is not infallible because researchers can break the algorithm and find the strings generated.

Tor2Web proxy used to access hidden services

More recent variants of the threat rely on Tor2Web, a proxy that establishes a direct connection to a server in Tor network without the need for additional tools.

The strings generated by the DGA are for locations in Tor, and the author implemented a function that passes them through the Tor2Web proxy service.

Although a user connecting to the proxy service can be traced, the connection beyond it is not. Traffic in Tor is encrypted and routed through multiple machines that do not keep records of the origin and destination. The result is access to a server whose location is shrouded in anonymity.

Vawtrak includes multiple protection mechanisms (such as disabling antivirus solutions) that allow it to evade detection and analysis. After compromising a machine, it can pilfer credentials and record user activity (keystrokes, screenshots and video).

Its operator can access the system remotely through a VNC channel and alter web sessions by injecting fake content in order to collect passwords for online banking accounts and the additional codes needed to access them.



Locker ransomware author quickly apologizes, decrypts victims’ files

Posted on

Almost as quickly as reports of new ransomware, dubbed “Locker,” prompted security experts to warn users of the threat, the author of the malware posted a message on Pastebinapologizing for resulting scams.

Along with their apology posted on Saturday, the malware author “Poka BrightMinds” also dumped the complete database of the malware’s decryption keys, so that victims could restore their “locked” files. The author added that automatic decryption of some files would start on Tuesday at midnight, and that, as of the posting, “most of the keys weren’t even used,” but that “all distribution of new keys has been stopped.”

Details about the Locker ransomware surfaced last week, after a lengthy thread on, which discussed the malware and included screenshots of the warning messages to victims.

Symantec, which analyzed ransom payments made via Bitcoin, said that the author only made $169 from victims before closing up shop.
Symantec, which analyzed ransom payments made via Bitcoin, said that the author only made $169 from victims before closing up shop.

In Tuesday email correspondence with, security researcher Lawrence Abrams, the creator and owner of, confirmed that “the Locker developer kept their promise and decrypted everyone who was still infected for free,” that day.

Locker was previously known to run silently run on victims’ computers until it was activated. At that point, the malware would employ RSA encryption to lock users’ files.

Symantec, which analyzed the ransom payments victims made via Bitcoin, said in a Tuesday blog post that the author only made $169 from victims before closing up shop, speculating that “the sudden change of heart” by the author may have been brought on for a number of reasons, such as fear that law enforcement were on their tracks, that the risk of getting caught was not worth their earnings, or that the command-and-control infrastructure for the malware itself was compromised.

Another option?

“The malware author actually regretted their actions,” Symantec added.

“Crypto ransomware malware authors have been known in the past to have a conscience, as we highlighted in an earlier blog: ‘OMG a Ransomcrypt Trojan with a Conscience!’” the blog post said.


Facebook, Twitter, Instagram, YouTube hit by Linux/Moose Malware

Posted on

ESET researchers caught Linux/Moose, a malware family primarily targeting Linux-based consumer routers, but also known to infect other Linux-based embedded systems. Once infected, the compromised devices are used to steal unencrypted network traffic and offer proxying services for the botnet operator. You can read more on this phenomenon in an in-depth security research paper titled ‘Dissecting Linux/Moose’ now available on ESET Ireland’s blog.

In practice, these malicious capabilities are used to steal HTTP cookies to perform fraudulent actions on Facebook, Twitter, Instagram, YouTube and other sites, which include generating non-legitimate follows, views andlikes.”

Linux/Moose is a novelty when you consider that most embedded threats these days are used to perform DDoS attacks,”explains Olivier Bilodeau, Malware Researcher at ESET.

Facebook, Twitter, Instagram, YouTube hit by Linux/Moose Malware
Facebook, Twitter, Instagram, YouTube hit by Linux/Moose Malware

What’s more, according to ESET researchers, this type of malware has the capabilities to reroute DNS traffic, which enables man-in-the-middle attacks from across the Internet. Moreover, the threat displays out-of-the-ordinary network penetration capabilities compared to other router-based malware. Moose also has DNS hijacking capabilities and will kill the processes of other malware families competing for the limited resources offered by the infected embedded system.

Considering the rudimentary techniques of Moose employed to gain access to other devices, it seems unfortunate that the security of embedded devices doesn’t seem to be taken more seriously by vendors. We hope that our efforts will help to better understand how the malicious actors are targeting their devices,” concludes Bilodeau.

ESET®, the pioneer of proactive protection and the maker of the award-winning ESET NOD32® technology, is a global provider of security solutions for businesses and consumers. For over 26 years, the Company continues to lead the industry in proactive threat detection. By obtaining the 80th VB100 award in June 2013, ESET NOD32 technology holds the record number of Virus Bulletin “VB100” Awards, and has never missed a single “In-the-Wild” worm or virus since the inception of testing in 1998. In addition, ESET NOD32 technology holds the longest consecutive string of the VB100 awards of any AV vendor. ESET has also received a number of accolades from AV-Comparatives, AV-TEST and other testing organizations and reviews. ESET NOD32® Antivirus, ESET Smart Security®, ESET Cyber Security® (solution for Mac), ESET® Mobile Security and IT Security for Business are trusted by millions of global users and are among the most recommended security solutions in the world.

The Company has global headquarters in Bratislava (Slovakia), with regional distribution centers in San Diego (U.S.), Buenos Aires (Argentina), and Singapore; with offices in Jena (Germany), Prague (Czech Republic) and Sao Paulo (Brazil). ESET has malware research centers in Bratislava, San Diego, Buenos Aires, Singapore, Prague, Košice (Slovakia), Krakow (Poland), Montreal (Canada), Moscow (Russia) and an extensive partner network for more than 180 countries. More information is available from the ESET Press Center.


Cyber Attack on IDA Server Prompts License Key Replacement

Posted on

Hex-Rays, developers of IDA (Interactive Disassembler), became the target of a cyber-attack, which may have compromised the license keys issued to customers.

IDA is used for software reverse engineering purposes, and it is widely used in the security industry to get the source code of malware samples, thus revealing the functions and instructions that make the threat tick.

The product also includes debugging functionality, which often helps analysts deal with the obfuscation techniques added by malware authors in their code.

Cyber Attack on IDA Server Prompts License Key Replacement
Cyber Attack on IDA Server Prompts License Key Replacement

Briefly put, IDA is an essential tool in malware analysis and this is reflected not only in its list of capabilities, but also in its price. A license for the starter edition is $589 (€529), while the price for the Professional variant starts at $1,129 (€1019).

Intrusion may have occurred via the forum or blogging software

On Monday, Hex-Rays support team sent an email notification to its customers about a recent attack that may have resulted in the compromise of some license keys along with the web forum and the quotation system.

Justin Case from Android Police took a screenshot of the letter, which added that the license keys contained customer names and email addresses.

The company did not discover any evidence that other type of information (financial data or credentials) was affected by the incident.

“Unfortunately we do not know when exactly the attack was carried out because the attacker kept low profile,” reads the email from Hex-Rays.

However, the company believes that the intrusion occurred via the forum and the blogging software, which represent the dynamic part of its web server.

Old keys replaced, customers advised to change access password

To make sure that customers do not face any trouble using IDA, the company decided to issue new license keys. The old ones have been discarded and can no longer be used to receive software updates.

As precaution, the developer advises clients to change their password for the forum and the quotation system.


LOCKER MALWARE :copycat de Cryptolocker

Posted on Updated on

Cryptolocker viene un software copycat desagradable que contiene los archivos de la víctima al rescate – pero el cifrado del recién llegado es potencialmente frágil , se nos dice .

Inicio Seguridad IntelCrawler reclama un ” gran distribución ” de la nueva llamada de malware Locker comenzó a principios de este mes .

Locker, una vez ha infectado un PC, copias y encripta los documentos de la víctima , la adición de una extensión “. Perfecta ” , a continuación, elimina los datos originales. El troyano también coloca un archivo contact.txt en cada directorio que contiene los datos de contacto del autor de malware – por lo general un número de teléfono móvil de usar y tirar o una dirección de correo electrónico.

Las víctimas se les advierte que si acosan o amenazan el extorsionista , se eliminará la clave de descifrado para desbloquear los archivos , revelando la forma de pensar de los cabrones detrás de la estafa.

IntelCrawler contactó a un ladrón que aparece en el archivo de contactos , y me dijeron que alguien tendría que pagar hasta $ 150 a un número de tarjeta virtual Perfect Money o QIWI VISA para recibir la clave de descifrado necesario para restaurar la información en la maquina infectadas Locker.

Con el fin de descifrar , es necesario proporcionar un código de identificación escrito en el archivo ” contact.txt ” , así como el nombre de host del equipo comprometido.

” Parece ser que los hackers simplemente comparar la lista de direcciones IP infectadas de los usuarios , junto con sus nombres de host “, según IntelCrawler .

Locker es un esfuerzo rango de aficionados en comparación con la tripulación CryptoLocker , que dirige su estafa utilizando una red de servidores de comando y control y el uso de una combinación de AES 256 bits y 2048 bits RSA de cifrado para almacenar los datos de rescate ( la llave maestra que se celebra en los servidores de los Crims ‘ ) .

Pero a pesar de su diseño menos avanzado , Locker ya ha logrado atacar los ordenadores que funcionan con Windows en los EE.UU. , se nos dice – incluyendo Washington DC , Texas y Missouri – además de PCs en los Países Bajos , Turquía, Alemania y Rusia. Locker también , se nos dice , evita máquinas herramientas utilizadas por los investigadores de seguridad que se ejecutan infectante, sin duda, una táctica destinada a garantizar que el malware se mantiene por debajo del radar durante tanto tiempo como sea posible.

Los spreads de software desagradables en su mayoría por descargas no autorizadas de sitios web comprometidos . Los ejecutables disfrazados de archivos MP3 son otro vector de infección.

El malware Locker utiliza la biblioteca TurboPower LockBox , un conjunto de herramientas criptográficas para Delphi : concretamente, se utiliza AES -CTR para cifrar el contenido de archivos en los dispositivos infectados. Pero las deficiencias en la programación serán aparentemente hacen posible que los investigadores desarrollar llaves maestras capaces de descifrar los archivos en el kit comprometida. Los investigadores de IntelCrawler están trabajando en un antídoto universal.

“Hemos encontrado un método de descifrado y cadenas universales [ claves ] de descifrado en cualquier cliente infectado, ” Andrey Komarov , jefe ejecutivo de IntelCrawler , dijo a El Reg .

Komarov añadió que la detección del malware por los paquetes antivirus es baja, con sólo Avira capaz de detectar el patógeno a partir del jueves por la noche


Instituto Internacional de Seguridad Cibernética
International Institute of Cyber Security