‘Vawtrak’ Banking Malware Continues to Evolve

Security experts say that a new version of the increasingly notorious Vawtrak malware has been spotted with significant code and configuration changes.

Also known as NeverQuest and Snifula, Vawtrak injects a DLL into browser processes. When the targeted URLs are visited by an infected user, the malware inserts extra code into the web page. That extra code is used for a number of reasons, including bypassing two-factor authentication, a new paper from Sophos notes.

“The updates are mostly about disguising where the malware connects when it “calls home” to fetch its instructions on what to do next,” blogged Sophos James Wyke. “Additionally, the way that Vawtrak communicates with its so-called command-and-control (C&C) servers has been adapted so that the malware’s traffic looks less suspicious. We have also observed new configuration files being deployed, and an interesting trend in the commands sent back by the C&C servers when an infected computer first checks in.”

More specifically, the updates included how the list of command and control server addresses are stored inside the Vawtrak program file. In addition, the malware makes heavy use of pseudorandom numbers produced by a Linear Congruential Generator (LCG) algorithm that scrambles the data it contains.

“Vawtrak also waits for a browser process to be launched before making any outbound C&C requests, so that it never generates traffic when you wouldn’t expect it,” Wyke blogged.

Targets of the malware have included customers of banks all around the world, including the U.S., Poland and Germany. According to Sophos, Vawtrak was the second-most popular malware distributed by Web-based exploit kits during September and November.

Don Jackson, director of threat intelligence at PhishLabs, blogged that the attackers appear to be responding to the attention they are getting from malware analysts and investigators by adopting modern anti-analysis tactics such as virtual machine detection and anti-debugging methods designed to frustrate forensic analysis.

“Vawtrak targets banks in a wide range of different countries, including some that are highly unusual to see banking malware target, and also targets companies from other industries that are off the radar of typical banking malware families,” according to Sophos report. “Combined with the use of specific campaign IDs, it’s evident that the Vawtrak operators are setting up the botnet to deliver Crimeware-as-a-Service, rather than following a more traditional kit-selling model that older families such as Zeus or SpyEye once employed.”

“This model allows specialization,” the report continues. “Aspects of the operation can be divided into distinct areas that expert members of the team can work on independently. For example, German language web injects can be handled by German speaking team members, code that is designed to bypass two-factor authentication can be written by a different team than more simple code that asks for extra information not normally required, and the stolen data can be similarly divided.”