A new wave of the Vawtrak banking Trojan is spreading worldwide. AVG Technologies has warned that Vawtrak gains access to bank accounts visited by the victim and uses the infamous Pony module for stealing a wide range of login credentials.Over the last few months, AVG has tracked the rapid spread of a banking Trojan known as Vawtrak.
Once it has infected a system, Vawtrak gains access to bank accounts visited by the victim. Furthermore, Vawtrak uses the infamous Pony module for stealing a wide range of login credentials.
Vawtrak uses Zeus-style web injects to trick victims into handing over personal and financial information. The web injection process also enables the attackers to get past security measures such as two-factor authentication.
In the campaign aimed at Canadian bank customers, which Heimdal Security has been monitoring for roughly a month, the malware has been delivered mainly through drive-by attacks.
A total of six command and control (C&C) domains have been identified. Based on their IP addresses, experts have determined that the servers are located in Russia, Ukraine and Germany.
In addition to performing web injects, the Trojan is also capable of stealing passwords, taking screenshots, capturing videos, and logging keystrokes. One interesting feature is the use of the Tor2web proxy, which enables the malware to access servers hosted on Tor without installing additional software that is usually required to access the anonymity network.
Kroustek said, “This Vawtrak sample also uses steganography to hide update files inside of favicons so that downloading them does not seem suspicious. Each favicon is only few kilobytes in size, but it is enough to carry a digitally signed update file hidden inside”.
Based on AVG statistics, the Czech Republic, USA, UK, and Germany are the most affected countries by the Vawtrak campaigns this year.
Features of this Vawtrak?
This Vawtrak sample is remarkable for the high number of functions that it can execute on a victim’s machine. These include:
- Theft of multiple types of passwords used by user online or stored on a local machine;
- Injection of custom code in a user-displayed web pages (this is mostly related to online banking);
- Surveillance of the user (key logging, taking screenshots, capturing video);
- Creating a remote access to a user’s machine (VNC, SOCKS);
- Automatic updating.
While this Vawtrak Trojan is very flexible in functionality, its coding is mostly basic and can be defended against. At AVG, we protect our users from Vawtrak in several ways:
- AVG LinkScanner and Online Shield provide real-time scanning of clicked links and web pages containing malicious code.
- AVG Antivirus for generic detection of malicious files and regular scans.
- AVG Identity Protection, that uses a behavioural-based detection, will detect even the latest versions of such infections.
- AVG Firewall prevents any unsolicited network traffic, such as communication with a C&C server.
