Connect with us

Hi, what are you looking for?


Malware & Threats

‘Vawtrak’ Banking Malware Continues to Evolve

Security experts say that a new version of the increasingly notorious Vawtrak malware has been spotted with significant code and configuration changes.

Security experts say that a new version of the increasingly notorious Vawtrak malware has been spotted with significant code and configuration changes.

Also known as NeverQuest and Snifula, Vawtrak injects a DLL into browser processes. When the targeted URLs are visited by an infected user, the malware inserts extra code into the web page. That extra code is used for a number of reasons, including bypassing two-factor authentication, a new paper from Sophos notes.

“The updates are mostly about disguising where the malware connects when it “calls home” to fetch its instructions on what to do next,” blogged Sophos James Wyke. “Additionally, the way that Vawtrak communicates with its so-called command-and-control (C&C) servers has been adapted so that the malware’s traffic looks less suspicious. We have also observed new configuration files being deployed, and an interesting trend in the commands sent back by the C&C servers when an infected computer first checks in.”

More specifically, the updates included how the list of command and control server addresses are stored inside the Vawtrak program file. In addition, the malware makes heavy use of pseudorandom numbers produced by a Linear Congruential Generator (LCG) algorithm that scrambles the data it contains.

Advertisement. Scroll to continue reading.

“Vawtrak also waits for a browser process to be launched before making any outbound C&C requests, so that it never generates traffic when you wouldn’t expect it,” Wyke blogged.

Targets of the malware have included customers of banks all around the world, including the U.S., Poland and Germany. According to Sophos, Vawtrak was the second-most popular malware distributed by Web-based exploit kits during September and November.

Don Jackson, director of threat intelligence at PhishLabs, blogged that the attackers appear to be responding to the attention they are getting from malware analysts and investigators by adopting modern anti-analysis tactics such as virtual machine detection and anti-debugging methods designed to frustrate forensic analysis.

“Vawtrak targets banks in a wide range of different countries, including some that are highly unusual to see banking malware target, and also targets companies from other industries that are off the radar of typical banking malware families,” according to Sophos report. “Combined with the use of specific campaign IDs, it’s evident that the Vawtrak operators are setting up the botnet to deliver Crimeware-as-a-Service, rather than following a more traditional kit-selling model that older families such as Zeus or SpyEye once employed.”

“This model allows specialization,” the report continues. “Aspects of the operation can be divided into distinct areas that expert members of the team can work on independently. For example, German language web injects can be handled by German speaking team members, code that is designed to bypass two-factor authentication can be written by a different team than more simple code that asks for extra information not normally required, and the stolen data can be similarly divided.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.