Vawtrak/Gozi Banking Trojan Poised to Become Major Threat

Vawtrak, the latest version of the 64-bit compatible Gozi Prinimalka trojan that has been around since the mid-2000s, has always focused on the financial vertical, and until recently, was especially active in Japan. New developments, though, are setting the malware up to be a much greater threat, as it appears to be widening its target surface.

“It is clear that Vawtrak is an imminent threat expanding in complexity,” said Don Jackson, director of threat intelligence at PhishLabs, in an analysis. “Targets are growing outside the financial industry and geographic distribution continues to rise.”

PhishLabs’ Research, Analysis and Intelligence Division (RAID) noted that recent takedowns and disruptions of other major botnets like Spy Eye, Shylock, and Gameover Zeus have positioned Vawtrak to gain popularity in the cybercrime market. Accordingly, recently observed configuration files have extended attacks to social networks, online retailers, analytics firms and game portals; and in terms of geography, criminals are using it to reach victims now in the US, Canada, the UK, Australia, Turkey and Slovakia.

“As one arm of the syndicate [that uses the malware] recently scaled back attacks on targets in Japan, China, Australia, New Zealand and other Far East countries, a core Russian crew ramped up large-scale attacks on US targets beginning approximately three months ago,” Jackson noted. “In July, samples from the Russian crew's new operation were configured to use advanced web injects.”

Newer configurations of the Vawtrak botnet are found to incorporate these advanced web injects as part of the core functionality; they enable the capture of additional personal information for exploitation of the victim’s account, while more advanced data-hiding tactics mitigate the detection of criminal activity. RAID found that as many as 64 targeted organizations' websites (including online ticket-seller StubHub) have been attacked this way.

“Newer configurations are much more sophisticated than flimsy spam scripts running on hacked blogs,” Jackson said. “Our analysts are seeing the Vawtrak lures coming through Cutwail – the world's highest-volume spam-sending botnet, which means the attackers are spending serious real-world money to infect more banking customers.”

Recently, Vawtrak has been utilized in a new spam template injected into the Cutwail spamming botnet which abuses AT&T and DocuSign brands to divert victims to an exploit kit.

“Once exposed to the exploit kit, the threat lifts the credentials of a bank, which are then sent back to the attacker’s data drop,” Jackson explained. “The hacker uses a virtual network computing server to take control of the compromised computer and logs into the bank account via the compromised computer to perform theft.”

In all, Jackson said that Vawtrak must not be ignored: “Custodians of the malware are investing time and resources to improve configurations that will increase stealth and added resistance to detection,” he said. “As targets expand beyond the financial industry and into new geographic regions, organizations and consumers must be prepared for the impending threat.”

What’s Hot on Infosecurity Magazine?