Connect with us

Hi, what are you looking for?


Malware & Threats

Vawtrak Banking Trojan Uses Windows PowerShell, Macros in Infection Routines

The Vawtrak banking malware now leverages macros and the Windows PowerShell scripting tool to infect computers, Trend Micro reported on Monday.

The Vawtrak banking malware now leverages macros and the Windows PowerShell scripting tool to infect computers, Trend Micro reported on Monday.

Vawtrak, also known as Neverquest and Snifula, has evolved a great deal over the past months. In September, PhishLabs researchers noticed that cybercriminals had expanded not only the malware’s capabilities, but also the list of targeted financial institutions. The initial Vawtrak attacks primarily targeted banks in Japan.

Up until recently, attackers distributed the threat as exploit payloads and with the aid of exploit kits such as Angler. Now, they have turned to using malicious macros, a technique seen at info-stealers like Dridex and Rovnix.

The attack starts with a spam email that appears to come from FedEx, American Airlines or other companies. The bogus messages contain what appears to be a harmless document. When the document is opened with Microsoft Word, users are presented with random symbols and they are instructed to enable macros in order to view the content.

After macros are enabled, the text in the document becomes visible. In the meantime, a batch file, a VBS file and a PowerShell script are dropped onto the infected system. The batch file is designed to execute the VBS file, which in turn runs the PowerShell script.

Built on the .NET Framework, Windows PowerShell is a task-based command line shell and scripting language that enables IT teams to control and automate the administration of the operating system and applications. In mid-2014, Trend Micro reported that the tool had been increasingly abused by attackers.

In the Vawtrak attacks, the PowerShell script is designed to download the Trojan, detected as BKDR_VAWTRAK.DOKR, to the system.

Advertisement. Scroll to continue reading.

“The use of three components (batch file, VBScript, and Windows Powershell file) might be an evasion tactic. The VBS file has ‘ -ExecutionPolicy bypass’ policy flag to bypass execution policies in the affected system. These policies are often seen as a ‘security’ feature by many administrators. They will not allow scripts to be run unless they meet the requirements of the policy,” Trend Micro explained in a blog post. “When the ‘ -ExecutionPolicy bypass’ policy flag is used, nothing is blocked and there are no warnings or prompts. This means that the malware infection chain can proceed without any security blocks.”

Vawtrak uses a password-protected macro, which makes it more difficult to analyze the malware, researchers noted.

Once it infects a computer, the malware starts stealing valuable information, including email credentials, information from Web browsers, and account data for FTP clients. By using form grabbing, screenshots, and injections, Vawtrak can also steal data from websites such as Twitter, Yahoo, Gmail, Amazon and Facebook.

The malware can also bypass some two-factor authentication mechanisms, researchers said. Another interesting feature found in Vawtrak is the Automatic Transfer System (ATS), which enables cybercriminals to circumvent security measures.

Trend Micro has been monitoring this new attack wave since November 2014. Most of the infections have been spotted in the United States (61%), followed at a distance by Japan (10%), Germany (7%), the UK, (4%), Australia, Canada, France, Italy, Belgium, and the Czech Republic.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...