Vawtrak DGA Round 2

Executive Summary

Vawtrak, a.k.a. Neverquest, has been a prominent trojan in the banking world and numerous researchers have reported their findings about this malware. In August 2016, we blogged about the addition of a DGA to the banking trojan known as Vawtrak. The actors behind Vawtrak reacted to this attention by adjusting their tactics — enough to warrant a change in their DGA implementation. On November 9, 2016 the Threat Research Team at Fidelis Cybersecurity noticed a Vawtrak sample that appeared to be using an updated implementation of the DGA routine.

The sample we analyzed was delivered by using Hancitor embedded in a Word Document with a recently documented technique of being loaded in memory.


Related on Threat Geek:

Fidelis Threat Advisory - Vawtrak DGA Round 2

Vawtrak C2 – Pin it

Vawtrak Trojan: Bank on it Evolving

Download Full Threat Advisory

Vawtrak DGA Round 2