Cybercriminals have been using the Vawtrak Trojan in an ongoing campaign targeted at Canadian online banking users, Denmark-based Heimdal Security reported on Tuesday.
According to researchers, malicious actors have been targeting the customers of 15 Canadian financial institutions, including the Vancouver City Savings Credit Union (Vancity), Tangerine Bank, Royal Bank of Canada, Bank of Montreal (BMO), Desjardins, and TD Canada Trust.
Vawtrak uses Zeus-style web injects to trick victims into handing over personal and financial information. The web injection process also enables the attackers to get past security measures such as two-factor authentication.
Furthermore, the use of virtual network computing (VNC) enables cybercrooks to perform unauthorized actions on the targeted account directly from the victim’s computer, which makes it less likely for the bank’s security systems to detect any suspicious activity, Heimdal Security said in a blog post.
Vawtrak, which is also known as Neverquest and Snifula, is distributed with the aid of drive-by downloads, exploit kits, malware downloaders, and spam.
In the campaign aimed at Canadian bank customers, which Heimdal Security has been monitoring for roughly a month, the malware has been delivered mainly through drive-by attacks. A total of six command and control (C&C) domains have been identified. Based on their IP addresses, experts have determined that the servers are located in Russia, Ukraine and Germany.
Roughly 15,000 bots have been detected in the Canadian campaign. Based on GeoIP data, 90 percent of the victims are located in Canada, Heimdal told SecurityWeek.
Vawtrak has continued to evolve over the past months. In February, Trend Micro reported that the banking Trojan had started leveraging the Windows PowerShell scripting tool and macros in its infection routines.
In a whitepaper published on Tuesday, AVG senior developer Jakub Kroustek detailed a new sample of Vawtrak that has infected computers worldwide. AVG has determined that the countries most affected by Vawtrak campaigns this year are the Czech Republic, the United States, the United Kingdom, and Germany.
In addition to performing web injects, the Trojan is also capable of stealing passwords, taking screenshots, capturing videos, and logging keystrokes. One interesting feature is the use of the Tor2web proxy, which enables the malware to access servers hosted on Tor without installing additional software that is usually required to access the anonymity network.
“This Vawtrak sample also uses steganography to hide update files inside of favicons so that downloading them does not seem suspicious. Each favicon is only few kilobytes in size, but it is enough to carry a digitally signed update file hidden inside,” Kroustek explained.