Banking malware Vawtrak, also known as Neverquest, is now using Tor2Web to effectively steal banking credentials and stay hidden from researchers or anyone else trying to track down the malware's perpetrators.
Vawtrak's code has DWORD values written in that correspond to domain name. Each DWORD value is a seed used to generate the domain name, Fortinet wrote on its blog. Those seeds are kept as fixed values within the code, which produce the same pseudo-randomized domain names.
Although the malware has typically used fixed Command and Control servers in its variants, it now uses Tor2Web, as well. Tor2Web allows users to access Tor services without directly connecting to the network or using the Tor client.
The malware's actions are still traceable, but much harder to track, Fortinet wrote.