Developers behind the banking Trojan Vawtrak have begun obscuring some of their servers with Tor2Web, a move that s added another degree of difficulty when it comes to uncovering their activity. The malware, which also goes by the name Neverquest, has a handful of DWORD values which correspond to domain names. It uses the values to generate randomized domain names, which ultimately wind up linking back to tor2web.org strings. The technique bucks the usual trend of using fixed command and control servers in its variants.
Source: https://threatpost.com/banking-malware-vawtrak-spotted-using-tor2web/113225/