Cybercriminals spreading new versions of the Vawtrak banking Trojan are the latest ones to use the once again popular macro-based attack.
Popular in the early 2000s, this type of attack was abandoned in the following decade, but resurfaced once again last year, preying on newer generations of computer users who haven’t witnessed it the first time.
According to Trend Micro researchers, this latest Vawtrak spreading campaign comes in the form of fake FedEx and American Airlines emails that urge recipients to download the attached Microsoft Word file that supposedly contains details about a failed delivery or an airline ticket.
Those who do are faced with a document full of jumbled symbols, and are urged to enable macros in order to view the document properly.
“Once the macro is enabled, a batch file is dropped into the affected system, along with a .VBS file and a PowerShell script. The batch file is programmed to run the .VBS file, which is then prompted to run the PowerShell file. The PowerShell file finally downloads the Vawtrak variant, detected as BKDR_VAWTRAK.DOKR,” the researchers explained.
Vawtrak is after login credentials stored by email software, browsers, FTP clients and file manager software, as well as credentials for popular online accounts (Amazon, Facebook, Twitter, etc.).
It can bypass two-factor authentication like one-time password (OTP) tokens and, depending on the configuration file it receives, it is also capable of bypassing SSL and simulating Automatic Transfer System (ATS) transactions.
“Vawtrak has gone through some notable improvements since it was first spotted in August 2013 as an attachment to fake shipping notification emails,” the researchers noted. “Coupled with the continuous use and abuse of malicious macros and Windows PowerShell, cybercriminals have come up with the ideal tool for carrying out their data theft routines.”
Another interesting thing about this latest variant is that it uses a password-protected macro, which makes it more difficult for malware researchers to analyze it.