"Vawtrak/Neverquest2 is a very active banking Trojan targeting U.S. financial institutions," Salemno explained. "It is developed and managed by a very capable and experienced cybercrime crew with in-depth knowledge of how banking technology operates."

The crew behind it sells access to Vawtrak to other cybercriminals as a cybercrime-as-a-service platform, who then use it to target specific financial institutions.

At the end of July, the PhishLabs Research, Analysis and Intelligence Division found two major changes in the Vawtrak (aka Neverquest2) codebase. PhishLabs discovered that the newest iteration of Vawtrak now uses a domain generation algorithm to identify its command-and-control server. Using an algorithm instead of a hardcoded domain renders automated attempts at mitigation inadequate.

Additionally, this new DGA implementation is bundled inside a codebase that appears smaller and more efficient, possibly because of compiler optimization. This optimization prevents malware researchers from using their pre-established Vawtrak analysis techniques during the reversing process to assist with the mitigation of the threat.

Can your cybersecurity strategy handle an attack? Do you have the latest tools and techniques to prevent fraud and data breaches? Get them and more at our FREE Second Annual Data Breach Defense Virtual Conference on September 7. Plus, you'll also learn the latest trends in cybersecurity including incident responses and be able to immediately download white papers, and so much more. Register for FREE Now!

"This recent change shows an adaptation to combat security researchers' attempts to disrupt their campaigns," Salemno said. "This shift is highly likely to increase the damage in which the gang that runs Vawtrak is able to perform."

Vawtrak's DGA uses an embedded formula. The infected computer goes through a domain list looking for a server that is still operational and responsive. This makes finding the malicious servers that collect the exfiltrated data much more difficult. Basic analysis tools such as intrusion detection systems, next generation firewalls and sandboxes can only blacklist domains that are active at the time of execution during the analysis, PhishLabs pointed out. Without knowing the domain, it is impossible to either bring the server down or prevent communication.

The danger of the DGA, according to Salemno, is that it makes it significantly more difficult for the good guys (the financial institutions and vendors they rely on for protection) to find and shut down the malicious servers used to control the PCs infected with Vawtrak, which steals credentials. The longer it takes to shut those servers down, the more credentials it collects.

"This means more accounts are compromised, which results in greater fraud losses. By reverse engineering the DGA (as PhishLabs has done), the domains can be readily determined and mitigated to prevent fraud losses," Salemno stated.

Salemno recommended, "Financial institutions should be monitoring significant banking Trojans like Vawtrak/Neverquest2 to stay abreast of their activities and take proactive measures to better detect if/when their accountholders are being targeted."

PhishLabs has partnered with a number of organizations, such as anti-spam companies, security vendors, web hosting companies and others that provide the cybersecurity firm with unique sets of data. PhishLabs sifts through millions of suspicious URLs and email messages from these data sources to find live attacks. 

Can your cybersecurity strategy handle an attack? Do you have the latest tools and techniques to prevent fraud and data breaches? Get them and more at our FREE Second Annual Data Breach Defense Virtual Conference on September 7. Plus, you'll also learn the latest trends in cybersecurity including incident responses and be able to immediately download white papers, and so much more. Register for FREE Now!