Vawtrak banking Trojan shifts to new targets

The Vawtrak banking Trojan (aka Snifula) is slowly but surely becoming a serious threat. With version 2, the malware has acquired the capability to target even more users, a modular architecture, and better obfuscation.

“Several of the updates included in Vawtrak version 2 center around complicating the analysis process and breaking existing tools used to decode interesting data used by the malware,” Sophos researchers have found.

“Many strings inside the binary that were previously discernible as plain text are now encrypted. The strings that are now encrypted are decrypted dynamically as they are needed. This is a common technique used by a wide variety of malware that is intended to hinder analysis.”

The new modular architecture allows for future features to be added and deployed easily, although for now the modules in use are pretty standard. The malware can steal certificates and browsing history and cookies from Firefox and Chrome, push web injects into browser processes, etc.

Data to and from the C&C server is still delivered over HTTP, but the data structures and the encoding scheme have been changed. As in the previous version, the malware can retrieve fallback C&C server addresses through Tor2web, but that functionality is currently not in use.

“Modules and updates are all signed, as they were in version 1. They are verified using a public key embedded in the binary. An interesting fact is that this public key was the same for all version 1 samples, indicating that one entity is signing all of these files,” the researchers noted.

A new public key is used to sign all version 2 samples but, again it’s always the same one, making the researchers believe that one entity maintains overall control of the Vawtrak botnet.

Vawtrak 2 targets customers of banks and financial companies in the US, the UK, Ireland, the Czech Republic, Canada, Japan, Romania and Israel. The previous version concentrated on US and UK targets, but also on those in Germany, Poland, Portugal, Spain, Saudi Arabia and UAE.

Apart from financial institutions, the malware can also inject websites of some online retail companies, telecoms, social media companies.

Vawtrak is usually delivered via email – fake USPS notifications seem the preferred option. The attached Word document asks the victims to enable Office macros, which allows for the download of the Pony malware family. Pony acts as a reconnaissance tool that also steals save credentials from browsers, email and FTP clients, and finally downloads Vawtrak.

“The pace with which new build versions are introduced shows that product releases are happening frequently. New command and control addresses are being observed on a regular basis which shows the botnet administrators have no problems acquiring new infrastructure. We have observed new banks in new geographic regions introduced as targets for web page code injection which indicates that new customers have been brought onboard,” the researchers pointed out. It all indicates that the botnet is thriving.