Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

‘Vawtrak’ Banking Malware Continues to Evolve

Security experts say that a new version of the increasingly notorious Vawtrak malware has been spotted with significant code and configuration changes.

Security experts say that a new version of the increasingly notorious Vawtrak malware has been spotted with significant code and configuration changes.

Also known as NeverQuest and Snifula, Vawtrak injects a DLL into browser processes. When the targeted URLs are visited by an infected user, the malware inserts extra code into the web page. That extra code is used for a number of reasons, including bypassing two-factor authentication, a new paper from Sophos notes.

“The updates are mostly about disguising where the malware connects when it “calls home” to fetch its instructions on what to do next,” blogged Sophos James Wyke. “Additionally, the way that Vawtrak communicates with its so-called command-and-control (C&C) servers has been adapted so that the malware’s traffic looks less suspicious. We have also observed new configuration files being deployed, and an interesting trend in the commands sent back by the C&C servers when an infected computer first checks in.”

More specifically, the updates included how the list of command and control server addresses are stored inside the Vawtrak program file. In addition, the malware makes heavy use of pseudorandom numbers produced by a Linear Congruential Generator (LCG) algorithm that scrambles the data it contains.

“Vawtrak also waits for a browser process to be launched before making any outbound C&C requests, so that it never generates traffic when you wouldn’t expect it,” Wyke blogged.

Advertisement. Scroll to continue reading.

Targets of the malware have included customers of banks all around the world, including the U.S., Poland and Germany. According to Sophos, Vawtrak was the second-most popular malware distributed by Web-based exploit kits during September and November.

Don Jackson, director of threat intelligence at PhishLabs, blogged that the attackers appear to be responding to the attention they are getting from malware analysts and investigators by adopting modern anti-analysis tactics such as virtual machine detection and anti-debugging methods designed to frustrate forensic analysis.

“Vawtrak targets banks in a wide range of different countries, including some that are highly unusual to see banking malware target, and also targets companies from other industries that are off the radar of typical banking malware families,” according to Sophos report. “Combined with the use of specific campaign IDs, it’s evident that the Vawtrak operators are setting up the botnet to deliver Crimeware-as-a-Service, rather than following a more traditional kit-selling model that older families such as Zeus or SpyEye once employed.”

“This model allows specialization,” the report continues. “Aspects of the operation can be divided into distinct areas that expert members of the team can work on independently. For example, German language web injects can be handled by German speaking team members, code that is designed to bypass two-factor authentication can be written by a different team than more simple code that asks for extra information not normally required, and the stolen data can be similarly divided.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.