The Vawtrak banking Trojan has resurfaced, with the ability to collect credentials and sensitive information from the clients of hundreds of banking and financial institutions.
The latest version, according to Heimdal Security, is able to capture videos and screenshots, and launch man-in-the-middle attacks.
More than 15 financial institutions in Canada are being targeted in one campaign with a web-injection method similar to that used by the Zeus family of malware—in this case allows online criminals to circumvent two factor authentication.
So far, it has enslaved about 15,000 machines in Canada for its botnet.
Vawtrak (aka Neverquest), is delivered through drive-by downloads in compromised websites or by injecting malicious code on legitimate websites (and through malvertising), but it also spreads through phishing campaigns in social media networks and spam. From there, it starts an MiTM attack that allows hackers to intercept unencrypted web traffic, while the victims think they are on a secure connection. So, the victim thinks the credentials are sent to a legitimate bank, but the malware actually redirects the traffic to a compromised server, using encryption to conceal the transmission.
The command and control center of the attack appears to be located in Russia.
Unfortunately, once it’s in a system, it poses several issues in terms of remediation. “To complicate a potential detection or removal process, the cyber-criminals use the retrieved credentials to log into the banking accounts via virtual network computing, which is a shared desktop system that allows remote control over the victim’s computer,” Heimdal said, in a blog. “Since the connection request to the online banking account comes from the victim’s computer, it is almost impossible for the banking account to notice the online attack that takes place.”
To avoid infection, users should keep operating systems and software up-to-date with the latest security patches, because Vawtrak can be spread through exploit kits. And of course, users shouldn’t click links or download attachments in emails received from unknown sources.
“Vawtrak is one of the most dangerous pieces of financial stealing malware detected lately by our security specialists,” Heimdal said.
Other researchers concur. As senior security researcher at Malwarebytes Labs Jerome Segura told us by email, “The Vawtrak banking Trojan is getting more sophisticated over time and is spreading to new countries—a sign that it is one of the top threats to be on the lookout for at the moment.”
He added, “The use of encryption to transmit data coupled with steganography, a means to conceal data, is going to make it more difficult for enterprises to detect malicious activity inside their network. Security at the endpoints and user awareness remain crucial to stop this piece of malware, with particular extra vigilance needed around phishing emails containing booby trapped documents or malicious links.”