Developer Jakub Kroustek has found new features in the dangerous Vawtrak malware that allow it to send and receive data through encrypted favicons distributed over the Tor network.
He says Vawtrak uses the Tor2Web proxy to receive updates from its criminal developers.
"Of particular interest from a security standpoint is that by using Tor2web proxy, it can access update servers that are hosted on the Tor hidden web services without installing specialist software such as Torbrowser," Kroustek says.
"Moreover, the communication with the remote server is done over SSL, which adds further encryption."
Kroustek says the latest Vawtrak sample uses steganography to conceal update files within favicons, the small images used to add colour to website bookmarks and browser tabs, in a novel trick that helps conceal the malicious downloads.
Vawktrak is infecting banking, gaming and social network users mainly across the United Kingdom, the United States, and Germany. Users in Australia, New Zealand, and across Europe are also affected albeit to a lesser extent.
It is, says Kroustek, capable of defeating antivirus platforms including AVG through the use of Software Restriction Policies, a feat first revealed in November analysis by rival firm Sophos.
The British antivirus firm, in its own report (pdf) on the attack, detailed browser password-stealing features which continue to be used in the latest iteration. Infection occurs through vectors including the Pony loader and the infamous Angler exploit kit.
The silver lining to the attack Kroustek says is that the malware is so aggressive compared to rival wares that it can destabilise infected systems, making it easier to detect.
Kroustek says users should exercise security due diligence and stay away from phishing scams and (unsurprisingly) run antivirus. ®