Article Lead Image

Photo via CarbonNYC [in SF!]/Flickr (CC BY 2.0)

Bank thieves are using Tor to hide their malware

The harder it is to find, the harder it is to stop.


Patrick Howell O'Neill

Internet Culture

Posted on Jun 9, 2015   Updated on May 28, 2021, 3:23 pm CDT

Popular banking malware Vawtrak, which steals a victim’s banking credentials, is now using the Tor anonymizing network in an attempt to stay hidden.

Researchers at Fortinet say the malware, also known as Neverquest, is using Tor2Web, which allows users without a Tor client to access Tor hidden services.

Through Tor2Web, the malware is able to stay in contact with its command-and-control servers that allow it to function. Normally, it’s a fairly straightforward bit of code that points to these servers. The latest evolution of Vawtrak sends the data through Tor2Web to hidden services.

“For malware such as Vawtrak, using Tor2Web makes it much more challenging to shut down its servers hidden in the Dark Web,” researcher Raul Alverez wrote. “The command-and-control servers hidden on the Tor network are harder to track down than those just lying in somebody’s basement. If you know where to look, though, tracking and hunting these servers is hard, but possible.”

The emergence of Vawtrak’s use of Tor is far from the first malware making use of the anonymity network. Most famously, in 2013, a botnet boasting millions of enslaved computers appeared on Tor.

Although Tor is perhaps most famous in the media for the criminals that use it, its users include police, military, businesses, and normal privacy-savvy users. Activists around the world use it to circumvent censorship in countries like China and Iran.

That’s the paradox of anonymity: Either anyone can use it or no one can, so both good and bad actors appear. It’s important to keep all facets of Tor in mind when you consider something like Vawtrak.

H/T ThreatPost | Photo via CarbonNYC [in SF!]/Flickr (CC BY 2.0)

Share this article
*First Published: Jun 9, 2015, 5:21 pm CDT