Vawtrak malware updated to break tools used by researchers

A new version of banking malware includes updates to the Vawtrak trojan that break tools typically used by security researchers to analyse the malware, according to a report. The malware continues to be actively developed, John Shier, senior security advisor at Sophos, told SCMagazine.com.

A new version of the banking malware, referred to by researchers at SophosLabs as ‘Vawtrak version 2' contains added “features” targeting new victims and geographies. “There is an active set of developers that has been acquiring new customers on a regular basis,” Shier said. “There are new command and control servers being added regularly.”

The malware used to have one monolithic binary that contained entire the payload, although the newest version now contains other modules, he said. “This may point to the ability to build particular custom modules for customers,” Shier noted. “It makes it easier to deliver the payload.”

The Vawtrak malware is likely not related to any of the malicious programmes that enabled attacks against SWIFT member banks. The malware used in the SWIFT cyber-attacks, he said would require “more specialisation and knowledge of esoteric systems,” such as the mechanisms of SWIFT and banking protocol functionality.

An earlier report by Sophos, in 2014, found that Vawtrak was used to target financial institutions in the US, Canada, United Kingdom, Japan, and Israel, with the US being the largest target. The earlier report was published after DDoS attacks by Iranian hackers that knocked banking systems offline. Shier said there was no “smoking gun indicator” that the malware was related to the Iranian attacks. “The authorship of this still remains rather cloaked,” he noted.