SophosLabs security experts have recently discovered Vawtrack v2 in a series of attacks targeting banks in countries where the trojan was not active before
According to Symantec, Vawtrack, which is also known as Snifula or NeverQuest, is considered as one of the most popular banking trojans nowadays. Vawtrack is offered as a rentable service on the Dark Web in the form of a Malware-as-a-Service offering, and lots of criminal gangs rent the trojan to distribute it via methods of their own.
Last week, SophosLabs released a report which revealed a new campaign using spam email claiming to be shipping deliveries. These emails contained boobytrapped Word documents which asked the user to enable macros.
Being activated, the Word’s macro feature would trigger a set of automated scripts which download and install the Pony infostealer malware. Hackers use this malware for local reconnaissance, and if they found data of value which could be stolen, they would deliver the Vawtrack v2 trojan at once. According to security researchers, when compared to v1, Vawtrack v2 added support for new targets.
By now, Vawtrack v1 is known to have gone after banks in Germany, Poland, Japan, the US, Saudi Arabia, UAE, Malaysia, Portugal, Spain, and the UK. While in v2, the creators of Vawtrack also added support for Canada, Israel, Romania, the Czech Republic, and the Republic of Ireland. In addition, Vawtrack also added new targets for previously supported countries such as the UK, the US, and Japan.
Nevertheless, SohposLabs didn’t consider these new Vawtrack WebInject modules to be the most important change added to Vawtrack v2. According to the security company, the trojan is now much smaller on disk and features a modular architecture which allows criminals to send new modules to each infected target, expanding its feature set.
Also, Vawtrack v2 has been hardened against reverse engineering operations usually carried out by infosec researchers. The SohposLabs experts claim that v2 broke a lot of security tools used to analyze malware.
It is the usage of increased levels of obfuscation and the latest changes to the trojan’s encryption which have greatly delayed the analysis of Vawtrack v2.
“The new version of Vawtrak shows that the botnet is very much alive, with active developers and a thriving customer base,” SophosLabs stated. “The pace with which new build versions are introduced shows that product releases are happening frequently.”
In addition, the security firm says that the owners of Vawtrack are constantly adding new C&C servers to their infrastructure, which leads to the conclusion that they’re operating a prosperous business.