Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Canadian Users Targeted With Vawtrak Banking Trojan

Cybercriminals have been using the Vawtrak Trojan in an ongoing campaign targeted at Canadian online banking users, Denmark-based Heimdal Security reported on Tuesday.

Cybercriminals have been using the Vawtrak Trojan in an ongoing campaign targeted at Canadian online banking users, Denmark-based Heimdal Security reported on Tuesday.

According to researchers, malicious actors have been targeting the customers of 15 Canadian financial institutions, including the Vancouver City Savings Credit Union (Vancity), Tangerine Bank, Royal Bank of Canada, Bank of Montreal (BMO), Desjardins, and TD Canada Trust.

Vawtrak uses Zeus-style web injects to trick victims into handing over personal and financial information. The web injection process also enables the attackers to get past security measures such as two-factor authentication.

Furthermore, the use of virtual network computing (VNC) enables cybercrooks to perform unauthorized actions on the targeted account directly from the victim’s computer, which makes it less likely for the bank’s security systems to detect any suspicious activity, Heimdal Security said in a blog post.

Vawtrak, which is also known as Neverquest and Snifula, is distributed with the aid of drive-by downloads, exploit kits, malware downloaders, and spam.

In the campaign aimed at Canadian bank customers, which Heimdal Security has been monitoring for roughly a month, the malware has been delivered mainly through drive-by attacks. A total of six command and control (C&C) domains have been identified. Based on their IP addresses, experts have determined that the servers are located in Russia, Ukraine and Germany.

Roughly 15,000 bots have been detected in the Canadian campaign. Based on GeoIP data, 90 percent of the victims are located in Canada, Heimdal told SecurityWeek.

Vawtrak has continued to evolve over the past months. In February, Trend Micro reported that the banking Trojan had started leveraging the Windows PowerShell scripting tool and macros in its infection routines.

Advertisement. Scroll to continue reading.

In a whitepaper published on Tuesday, AVG senior developer Jakub Kroustek detailed a new sample of Vawtrak that has infected computers worldwide. AVG has determined that the countries most affected by Vawtrak campaigns this year are the Czech Republic, the United States, the United Kingdom, and Germany.

In addition to performing web injects, the Trojan is also capable of stealing passwords, taking screenshots, capturing videos, and logging keystrokes. One interesting feature is the use of the Tor2web proxy, which enables the malware to access servers hosted on Tor without installing additional software that is usually required to access the anonymity network.

“This Vawtrak sample also uses steganography to hide update files inside of favicons so that downloading them does not seem suspicious. Each favicon is only few kilobytes in size, but it is enough to carry a digitally signed update file hidden inside,” Kroustek explained.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

Cloud security firm Mitiga has appointed Charlie Thomas as Chief Executive Officer.

Cynet announced the appointment of Jason Magee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.