Paper: Nesting doll: unwrapping Vawtrak
Posted by Virus Bulletin on Jan 20, 2015
Raul Alvarez unwraps the many layers of an increasingly prevalent banking trojan.
Banking trojans remain one of the most prevalent kinds of malware. Among them, trojans based on Zeus have long been the most prevalent, but in recent months a relatively new trojan has been challenging the reign of Zeus: Vawtrak.
Also known as Neverquest or Snifula, Vawtrak initially targeted users of Japanese banking systems, but it has since broadened its scope. In a recent paper (pdf), Sophos researcher James Wyke looked at the malware's infection vector, as well how it targets banks and other financial institutions.
Today, we publish a paper by Fortinet researcher Raul Alvarez, in which he takes a close look at the malware itself. Like a Russian Matryoshka doll, it consists of multiple layers, with each layer (or doll) containing the next one until the final layer contains a malicious DLL. Matryoshka dolls. Source: Wikimedia Commons (CC BY-SA 3.0)
In his paper, Raul takes us through the various layers and explains how each layer contains various tricks to frustrate researchers and debuggers alike. This not only makes it an essential read for anyone studying Vawtrak, but also a good introduction to modern malware analysis, which is very much about distinguishing real from bogus instructions and avoiding traps laid out for researchers.
You can read the paper here in HTML format or here as a PDF. Remember that all content published by Virus Bulletin can be read free of charge, with no registration required. Decryption algorithm used by Vawtrak. Only the highlighted instructions are relevant; the rest are garbage instructions.
If you like this paper, be sure to read previous articles Raul wrote for Virus Bulletin, including analyses of W32/Huhk and the Neshta file infector.
Posted on 20 January 2015 by Martijn Grooten
A VB2019 paper by FireEye researcher Daniel Kapellmann Zafra explained how open source intelligence (OSINT) can be used to learn crucial details of the inner workings of many a system. Today we publish Daniel's paper and the recording of his…
Though active for not much longer than a year, GandCrab had been one of the most successful ransomware operations. In a paper presented at VB2019 in London, McAfee researchers John Fokker and Alexandre Mundo looked at the malware code, its evolution…
At VB2019 in London, Check Point researchers Aseel Kayal and Lotem Finkelstein presented a paper detailing an Iranian operation they named 'Domestic Kitten' that used Android apps for targeted surveillance. Today we publish their paper and the video…
At VB2019 in London, LINE's HeungSoo Kang explained how cryptocurrency exchanges had been attacked using Firefox zero-days. Today, we publish the video of his presentation.
In a paper presented at VB2019, Cisco Talos researchers Warren Mercer and Paul Rascagneres looked at two recent attacks against DNS infrastructure: DNSpionage and Sea Turtle. Today we publish their paper and the recording of their presentation.