SophosLabs: Vawtrak banking malware updated with new targets and innovations

vawtrak-bankA new version of a deceptive banking malware has been responsible for a series of attacks on financial institutions in many countries around the world in the past year, SophosLabs reports in a new research paper.

Vawtrak (also known as NeverQuest and Snifula) has been around for a few years now, yet it continues to thrive as a popular crimeware-as-a-service kit used by a variety of cybercriminal groups.

SophosLabs analysis of what we are simply calling Vawtrak version 2 shows the malware authors have introduced new innovations, while making frequent updates to meet demand and stay ahead of defenses.

SophosLabs has seen Vawtrak version 2 spreading by phony emails claiming to be shipping delivery notices; and Vawtrak being dropped onto computers already infected by the Pony malware.

In the time since our previous research paper on Vawtrak, new banks and countries have been targeted, with several campaigns in countries including the United States, Canada, United Kingdom, Japan, and Israel, with the US being the largest target.

In our earlier analysis of Vawtrak, Germany and Poland were the top-targeted countries, but we did not see significant activity in those countries using version 2.

This change in geographic targets could indicate that Vawtrak’s crimeware customers are no longer interested in those countries, but it’s also possible that SophosLabs did not see configuration files for those missing countries due to server-side checks such as a Geo IP lookup of the victim IP address.

Innovations in Vawtrak version 2

The developers of Vawtrak have invested significant efforts to improve the malware in version 2, complicate defenses, and frustrate security researchers.

According to SophosLabs, Vawtrak version 2 includes some updates that break existing tools used to analyze the malware:

“These changes involve increased levels of obfuscation and changes to the encryption used. … [T]he motivation for the change would appear to be an attempt to temporarily break existing tools that may implement the algorithms used by previous Vawtrak samples.”

SophosLabs also discovered that the Vawtrak authors made version 2 leaner with a smaller footprint for the initial payload used for infection. This leaner version of Vawtrak could allow the authors to introduce advanced features to be added and deployed as modules to select victims, according to SophosLabs.

For a more technical analysis of Vawtrak version 2 and additional research insights into this persistent threat, download the SophosLabs research paper.

About SophosLabs

SophosLabs is the global network of threat centers staffed by Sophos researchers and analysts.

You can find our industry-leading research and technical papers, expert opinion, and security advice at Naked Security and right here on the Sophos Blog.

Sign up for our Sophos Blog newsletter, follow us on your favorite social media networks, chat with us in our forums, download our informative podcasts, or sign up for our RSS feeds.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s