Security Experts:

Vawtrak Banking Trojan Uses Windows PowerShell, Macros in Infection Routines

The Vawtrak banking malware now leverages macros and the Windows PowerShell scripting tool to infect computers, Trend Micro reported on Monday.

Vawtrak, also known as Neverquest and Snifula, has evolved a great deal over the past months. In September, PhishLabs researchers noticed that cybercriminals had expanded not only the malware’s capabilities, but also the list of targeted financial institutions. The initial Vawtrak attacks primarily targeted banks in Japan.

Up until recently, attackers distributed the threat as exploit payloads and with the aid of exploit kits such as Angler. Now, they have turned to using malicious macros, a technique seen at info-stealers like Dridex and Rovnix.

The attack starts with a spam email that appears to come from FedEx, American Airlines or other companies. The bogus messages contain what appears to be a harmless document. When the document is opened with Microsoft Word, users are presented with random symbols and they are instructed to enable macros in order to view the content.

After macros are enabled, the text in the document becomes visible. In the meantime, a batch file, a VBS file and a PowerShell script are dropped onto the infected system. The batch file is designed to execute the VBS file, which in turn runs the PowerShell script.

Built on the .NET Framework, Windows PowerShell is a task-based command line shell and scripting language that enables IT teams to control and automate the administration of the operating system and applications. In mid-2014, Trend Micro reported that the tool had been increasingly abused by attackers.

In the Vawtrak attacks, the PowerShell script is designed to download the Trojan, detected as BKDR_VAWTRAK.DOKR, to the system.

“The use of three components (batch file, VBScript, and Windows Powershell file) might be an evasion tactic. The VBS file has ‘ -ExecutionPolicy bypass’ policy flag to bypass execution policies in the affected system. These policies are often seen as a ‘security’ feature by many administrators. They will not allow scripts to be run unless they meet the requirements of the policy,” Trend Micro explained in a blog post. “When the ‘ -ExecutionPolicy bypass’ policy flag is used, nothing is blocked and there are no warnings or prompts. This means that the malware infection chain can proceed without any security blocks.”

Vawtrak uses a password-protected macro, which makes it more difficult to analyze the malware, researchers noted.

Once it infects a computer, the malware starts stealing valuable information, including email credentials, information from Web browsers, and account data for FTP clients. By using form grabbing, screenshots, and injections, Vawtrak can also steal data from websites such as Twitter, Yahoo, Gmail, Amazon and Facebook.

The malware can also bypass some two-factor authentication mechanisms, researchers said. Another interesting feature found in Vawtrak is the Automatic Transfer System (ATS), which enables cybercriminals to circumvent security measures.

Trend Micro has been monitoring this new attack wave since November 2014. Most of the infections have been spotted in the United States (61%), followed at a distance by Japan (10%), Germany (7%), the UK, (4%), Australia, Canada, France, Italy, Belgium, and the Czech Republic.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.