The Vawtrak Trojan reemerges tougher and sneakier

The Vawtrak bug back and meaner than ever, say Proofpoint researchers

This new model is even better at stealing your info
This new model is even better at stealing your info

A once-dormant banking trojan has reared its ugly head once again, according to a new report. Researchers at Proofpoint, a cyber-security company, claim that the Vawtrak banking trojan has come back to fill the space left by the Dridex trojan and with significant improvements.

Vawtrak steals important information which is then used to gain access to your accounts through online portals. The trojan clandestinely injects itself into browsers and targets certain web-pages, such as online banking portals or Amazon payment forms. 

When the targeted pages are visited, it modifies them to coax the user into giving up their information but can also modify those pages to bypass two-factor authentication, infect the victim with more malware, or start transferring cash out of the unwitting victim's account and then covering up the evidence. 

Even though the connection seems protected by HTTPS encryption, Vawtrak straddles the connection between the bank and the user making it virtually undetectable.

Kevin Epstein, VP of advanced security and governance at Proofpoint, spoke to SCMagazineUK.com and offered an analogy as to what exactly Vawtrak does. “Imagine you dial the bank on your telephone. Unbeknownst to you, your phone is routed to an attacker instead of your bank. The attacker then dials your bank on a different line. Everything the bank says, the attacker repeats to you – and everything you say, the attacker says to the bank.”

Epstein added, “So you believe you're talking to the bank, and correctly authenticate yourself... but when you hang up, the attacker stays on the line pretending to be you, and transferring your cash to somewhere else.”

Vawtrak is often considered a low-rent kind of trojan, not quite as capable as some of the others that you can buy through online malware vendors. 

Drew Perry, chief cyber-analyst at Ascot Barclay, thinks that its re-emergence might change that. Perry told SC that "Vawtrak historically is a less sophisticated choice and lower cost choice for those in the market for malware”. But with this improved model, we “may be witnessing a renewed effort to contend with the first tier options".

Those new features are a cause for concern. They include increased stealthiness via its revised command-and-control communication which further prevents defenders from detecting evidence of the trojan's attack. The new Vawtrak trojan also boasts new methods for data encoding and generates different HTTP traffic to escape with its stolen data.

But who is this new, meaner, sneakier Vawtrak trojan targeting? Kevin Epstein told SC that “Attackers appear to be targeting individuals, largely businesspeople, based on the types of lures.” 

These lures, as Proofpoint has shown in its researchers' report, come in a variety of forms. Attachment-based phishing remains a often-used method of delivery wherein the unwitting victim is enticed to download an email attachment and unsuspectingly infect themselves. Those infected files can come attached to believable-looking emails, claiming to contain price lists, invoices, fax messages and even subpoenas.

A release from Proofpoint recommends that organisations, individuals and companies “should re-examine existing legacy security layers and consider deploying modern SaaS-based security measures to be able to keep up with attackers' innovation cycles and thwart these ongoing threats”.

For Perry, this is in some ways dangerous, in others benign. “For the average consumer”, he says, “this doesn't change the situation much, as an adversary will always find a way in via the weakest link. In this case being an unpatched browser or plugin.” Perry added that “Vendors need a stricter stance on allowing out of date code to run.”

As it infects machines, Vawtrak adds to its ever-expanding botnet that harvests users' log-in info and delivers it back to the attacker. According to a 2014 Sophos report, the botnet that Vawtrak has built up is being used on the ever-more popular Crimeware as a Service (CaaS) business model, “where the output of the botnet can be adjusted on demand, with financial data effectively being stolen to order”.

The Proofpoint report concludes that this new occurrence of the Vawtrak trojan fills a hole in the market which Dridex's disappearance left wide open: “The authors of Vawtrak may be making a bid for market share.” 

The authors add that “this latest offering is a sophisticated improvement and could better position them to fill the void left by Dridex and become the new leading tool in the banking trojan arena”.