[sysopfb]

d0057f9faf043d1da2e9543b9f491a87c49299a1a4d1652159662278af4cdd0e
Active. US banks after you decrypt the config

[sicher]

Thanks sysopfb!

Did someone ever see this pattern with Vawtrak? (The placeholders are made up and B is size in Bytes):

/channel/{a(2B)}/{b(8B)}/{c(8B)}?id={d(16B)}

[Codehook]

I've been seeing this sort of pattern in the last few days:

Code: Select all

/data/[0-9]{2}\.php\?i=[0-9]{8}&data=[a-z0-9]{8}&hash=[0-9]{4}

[frishrash]

Analysis of this variant: http://securityintelligence.com/new-nev ... n-the-wild

[sysopfb]

It's back... project 100. Not much appears to of changed, the traffic encoding and config encoding are all the same.

Delivered by Neutrino EK

C2 list:

Code: Select all

gufeef.com
hoohunie.com
tinoofeise.com
nehoom.com

Backconnect:

Code: Select all

91.220.131.66:8080

[sicher]

Thanks sysopfb. Seems like the backconnect backend still up. Too bad there was no leak of the backconnect backend till now.

[sysopfb]

New vawtrak loader, uses similar encoding routines as previous vawtrak but the LCG algorithm for psuedo random numbers is BSD(http://rosettacode.org/wiki/Linear_cong ... _generator) and instead of XORing the bytes it subtracts them.
Sample and decoded+decompressed modules are in attachment.

[sicher]

Thanks again sysopfb. The LCG before was just a form of rand() from VistualStudio using the seed in first 4 bytes, right? I wonder if they support both encoding forms now for the of migration.

[sysopfb]

Yeah usually the first 4 bytes are the seed although now there's extra data at the beginning of the config portion.

Proofpoint did a decent writeup on the majority of the encodings already.
https://www.proofpoint.com/us/threat-in ... he-Shadows

[sicher]

Ah right, I also just saw Mathews twitter post regarding this today.