Chanitor command and control server is hidden in Tor

Jan 12, 2015 15:00 GMT  ·  By

A new strain of the Vawtrak banking Trojan has been discovered by security researchers, who observed that it was delivered by malware downloader Chanitor.

Vawtrak is also known by the names Neverquest and Snifula and its usage has increased in frequency in the past few months.

Vawtrak manipulates online banking sessions

Once it infects a machine, the threat injects the web browser process with a DLL that can manipulate browsing sessions to specific destinations included by the operators in the configuration file.

When victims load the page of a target in the browser, the malware injects code in real time, adding content designed to trick the user into providing sensitive information, such as banking credentials, which is sent to a remote machine controlled by the cybercriminals.

According to a December 2014 report from Sophos, fraudulent transactions are initiated through the victim’s machine. Since everything happens in front of the user, the two-factor authentication (2FA) security feature can also be bypassed, by asking the victim to provide the unlock code for accessing the bank account, just like in the case of a real online banking session.

C&C server located in TOR, communication is encrypted

Security researchers from Zscaler detected a new phishing campaign that fools the user into installing Chanitor, a malicious software used for funneling in and installing other threats.

The emails claim to deliver important messages, such as voicemails, invoices, and faxes, but the end file is a malicious executable (SCR).

They discovered that Chanitor deletes itself from the affected computer seconds after being downloaded, but not before copying itself to a different location.

It then executes the copy and contacts the command and control (C&C) server for instructions. Zscaler says that the downloader uses an encrypted connection in the communication process to a server located in Tor anonymity network.

“This request is a beacon to the command and control server on TOR via tor2web.org. Chanitor uses SSL for all communication and beacons via POST requests to /gate.php. If the request is successful, the C2 server will provide further instructions which during our analysis was to download additional binary payload [Vawtrak],” says John Mancuso in a blog post.

To achieve persistence on the infected machine, the malware creates a registry entry. This way, it can be deployed each time the system starts.

Chanitor received improvements

It appears that Chanitor has evolved in the past few months, as the initial samples analyzed by the researchers would function on Windows 7 only in compatibility mode and with administrator privileges. However, the newer strains have resolved these issues and run without errors.

With command and control servers hidden in Tor, taking them down is more difficult because the connections in the network are anonymous and randomized in order to preserve anonymity of the users.

On the other hand, blocking connections to Tor2Web would cut communication of the malware with its control center and render the threat harmless. Administrators seeing communication to Tor2Web with a specific frequency should investigate the matter as it could be an indicator of compromise.

Chanitor downloads Vawtrak (3 Images)

Malicious binary enters sleep for a short period of time
Chanitor encrypts key components, such as tor2web destinationServer response for malicious binary download request
Open gallery