Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Vawtrak Banking Trojan Uses Windows PowerShell, Macros in Infection Routines

The Vawtrak banking malware now leverages macros and the Windows PowerShell scripting tool to infect computers, Trend Micro reported on Monday.

The Vawtrak banking malware now leverages macros and the Windows PowerShell scripting tool to infect computers, Trend Micro reported on Monday.

Vawtrak, also known as Neverquest and Snifula, has evolved a great deal over the past months. In September, PhishLabs researchers noticed that cybercriminals had expanded not only the malware’s capabilities, but also the list of targeted financial institutions. The initial Vawtrak attacks primarily targeted banks in Japan.

Up until recently, attackers distributed the threat as exploit payloads and with the aid of exploit kits such as Angler. Now, they have turned to using malicious macros, a technique seen at info-stealers like Dridex and Rovnix.

The attack starts with a spam email that appears to come from FedEx, American Airlines or other companies. The bogus messages contain what appears to be a harmless document. When the document is opened with Microsoft Word, users are presented with random symbols and they are instructed to enable macros in order to view the content.

After macros are enabled, the text in the document becomes visible. In the meantime, a batch file, a VBS file and a PowerShell script are dropped onto the infected system. The batch file is designed to execute the VBS file, which in turn runs the PowerShell script.

Built on the .NET Framework, Windows PowerShell is a task-based command line shell and scripting language that enables IT teams to control and automate the administration of the operating system and applications. In mid-2014, Trend Micro reported that the tool had been increasingly abused by attackers.

In the Vawtrak attacks, the PowerShell script is designed to download the Trojan, detected as BKDR_VAWTRAK.DOKR, to the system.

“The use of three components (batch file, VBScript, and Windows Powershell file) might be an evasion tactic. The VBS file has ‘ -ExecutionPolicy bypass’ policy flag to bypass execution policies in the affected system. These policies are often seen as a ‘security’ feature by many administrators. They will not allow scripts to be run unless they meet the requirements of the policy,” Trend Micro explained in a blog post. “When the ‘ -ExecutionPolicy bypass’ policy flag is used, nothing is blocked and there are no warnings or prompts. This means that the malware infection chain can proceed without any security blocks.”

Advertisement. Scroll to continue reading.

Vawtrak uses a password-protected macro, which makes it more difficult to analyze the malware, researchers noted.

Once it infects a computer, the malware starts stealing valuable information, including email credentials, information from Web browsers, and account data for FTP clients. By using form grabbing, screenshots, and injections, Vawtrak can also steal data from websites such as Twitter, Yahoo, Gmail, Amazon and Facebook.

The malware can also bypass some two-factor authentication mechanisms, researchers said. Another interesting feature found in Vawtrak is the Automatic Transfer System (ATS), which enables cybercriminals to circumvent security measures.

Trend Micro has been monitoring this new attack wave since November 2014. Most of the infections have been spotted in the United States (61%), followed at a distance by Japan (10%), Germany (7%), the UK, (4%), Australia, Canada, France, Italy, Belgium, and the Czech Republic.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.