Vadokrist

Latin America continued to be the preferred ground for the deployment of banking Trojans. One such threat that has been active since at least 2018 and is still under active development is Vadokrist. Researchers analyzed the underlying code of the Vadokrist and found that it shares multiple features with several other banking Trojan families from the region, mainly Mekotio, Casbaneiro, Grandoreiro and Amavaldo. Still, several characteristics set Vadokrist apart from the rest.

The first peculiar aspect of the threat is the inclusion of a substantial amount of unused code inside the binaries. The goal was most likely to boost the chances of the threat to avoid being detected while also extending the time needed for proper analysis of the code. Earlier Vadokrist versions stored strings inside a single string table, in a manner similar to Casbaneiro, but more recent variants include multiple string tables, each tasked with a different objective.

The second major deviation exhibited by Vadokrist is in its data harvesting routine. Most Latin American banking Trojans collect various information about their victims, such as computer names and Windows OS versions when they are first executed. Vadokrist not only collects a smaller subset of data; it harvests the victim's username only, but it does it at the time when an attack is initiated against a financial institution.

The backdoor capabilities of Vadokrist are par for the course. The threat can manipulate the mouse and simulate keyboard input, establish a keylogger routine, take arbitrary screenshots and reboot the infected system. It also is equipped with a rather heavy-handed way of preventing users from accessing certain websites by directly killing the web browser process. The threat's persistence mechanism includes either the generation of a Run key or an LNK file being released into the startup folder.

Attack Vector

Vadokrist is being propagated through a spam email campaign. Victims are targeted with bait emails carrying two corrupted file attachments - ZIP archives with an MSI installer and a CAB archive. The attack chain skips the downloader phase with Vadokrist being delivered by the emails directly.

When the user executes the MSI installer, it finds the CAB archive and extracts its contents to the disk. It then proceeds to execute and embed a JavaScript file that established the persistence mechanism. The script restarts the compromised system and, on load, moves on to executing the Vadokrist malware itself.

The JavaScript file uses a novel obfuscation method - it abuses the way the comma operator works in JavaScript to reduce readability and avoid emulation significantly. Operations using the logical AND operator are obfuscated with a similar technique.