Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Malware & Threats

Canadian Users Targeted With Vawtrak Banking Trojan

Cybercriminals have been using the Vawtrak Trojan in an ongoing campaign targeted at Canadian online banking users, Denmark-based Heimdal Security reported on Tuesday.

Cybercriminals have been using the Vawtrak Trojan in an ongoing campaign targeted at Canadian online banking users, Denmark-based Heimdal Security reported on Tuesday.

According to researchers, malicious actors have been targeting the customers of 15 Canadian financial institutions, including the Vancouver City Savings Credit Union (Vancity), Tangerine Bank, Royal Bank of Canada, Bank of Montreal (BMO), Desjardins, and TD Canada Trust.

Vawtrak uses Zeus-style web injects to trick victims into handing over personal and financial information. The web injection process also enables the attackers to get past security measures such as two-factor authentication.

Furthermore, the use of virtual network computing (VNC) enables cybercrooks to perform unauthorized actions on the targeted account directly from the victim’s computer, which makes it less likely for the bank’s security systems to detect any suspicious activity, Heimdal Security said in a blog post.

Vawtrak, which is also known as Neverquest and Snifula, is distributed with the aid of drive-by downloads, exploit kits, malware downloaders, and spam.

In the campaign aimed at Canadian bank customers, which Heimdal Security has been monitoring for roughly a month, the malware has been delivered mainly through drive-by attacks. A total of six command and control (C&C) domains have been identified. Based on their IP addresses, experts have determined that the servers are located in Russia, Ukraine and Germany.

Roughly 15,000 bots have been detected in the Canadian campaign. Based on GeoIP data, 90 percent of the victims are located in Canada, Heimdal told SecurityWeek.

Advertisement. Scroll to continue reading.

Vawtrak has continued to evolve over the past months. In February, Trend Micro reported that the banking Trojan had started leveraging the Windows PowerShell scripting tool and macros in its infection routines.

In a whitepaper published on Tuesday, AVG senior developer Jakub Kroustek detailed a new sample of Vawtrak that has infected computers worldwide. AVG has determined that the countries most affected by Vawtrak campaigns this year are the Czech Republic, the United States, the United Kingdom, and Germany.

In addition to performing web injects, the Trojan is also capable of stealing passwords, taking screenshots, capturing videos, and logging keystrokes. One interesting feature is the use of the Tor2web proxy, which enables the malware to access servers hosted on Tor without installing additional software that is usually required to access the anonymity network.

“This Vawtrak sample also uses steganography to hide update files inside of favicons so that downloading them does not seem suspicious. Each favicon is only few kilobytes in size, but it is enough to carry a digitally signed update file hidden inside,” Kroustek explained.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...