Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

‘Vawtrak’ Banking Malware Continues to Evolve

Security experts say that a new version of the increasingly notorious Vawtrak malware has been spotted with significant code and configuration changes.

Security experts say that a new version of the increasingly notorious Vawtrak malware has been spotted with significant code and configuration changes.

Also known as NeverQuest and Snifula, Vawtrak injects a DLL into browser processes. When the targeted URLs are visited by an infected user, the malware inserts extra code into the web page. That extra code is used for a number of reasons, including bypassing two-factor authentication, a new paper from Sophos notes.

“The updates are mostly about disguising where the malware connects when it “calls home” to fetch its instructions on what to do next,” blogged Sophos James Wyke. “Additionally, the way that Vawtrak communicates with its so-called command-and-control (C&C) servers has been adapted so that the malware’s traffic looks less suspicious. We have also observed new configuration files being deployed, and an interesting trend in the commands sent back by the C&C servers when an infected computer first checks in.”

More specifically, the updates included how the list of command and control server addresses are stored inside the Vawtrak program file. In addition, the malware makes heavy use of pseudorandom numbers produced by a Linear Congruential Generator (LCG) algorithm that scrambles the data it contains.

“Vawtrak also waits for a browser process to be launched before making any outbound C&C requests, so that it never generates traffic when you wouldn’t expect it,” Wyke blogged.

Targets of the malware have included customers of banks all around the world, including the U.S., Poland and Germany. According to Sophos, Vawtrak was the second-most popular malware distributed by Web-based exploit kits during September and November.

Don Jackson, director of threat intelligence at PhishLabs, blogged that the attackers appear to be responding to the attention they are getting from malware analysts and investigators by adopting modern anti-analysis tactics such as virtual machine detection and anti-debugging methods designed to frustrate forensic analysis.

“Vawtrak targets banks in a wide range of different countries, including some that are highly unusual to see banking malware target, and also targets companies from other industries that are off the radar of typical banking malware families,” according to Sophos report. “Combined with the use of specific campaign IDs, it’s evident that the Vawtrak operators are setting up the botnet to deliver Crimeware-as-a-Service, rather than following a more traditional kit-selling model that older families such as Zeus or SpyEye once employed.”

“This model allows specialization,” the report continues. “Aspects of the operation can be divided into distinct areas that expert members of the team can work on independently. For example, German language web injects can be handled by German speaking team members, code that is designed to bypass two-factor authentication can be written by a different team than more simple code that asks for extra information not normally required, and the stolen data can be similarly divided.”

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...