Banking Trojan 'Vawtrak' spotted in the wild

News by John Walker

Banking Trojan 'Vawtrak' has been spotted in the wild, and it's 'much improved' compared to a year ago.

In 2014 TrendLabs discovered cyber-criminals employing the Windows PowerShell command shell to deploy the Rovnix agent via malicious macro downloaders – a practice which in 2015 has morphed into a brand new threat in the form of the new banking malware agent labelled ‘Vawtrak which is now in the wild, and in use leveraging macros in Microsoft Word to spread this new banking malware.

The Vawtrak agent was first seen by Trend Micro in June 2014 when the firm noticed this new malicious code abusing a Windows feature called Software Restriction Policies (SRP), preventing the infected system from running a total of 53 security and anti-virus programs, including Trend Micro, ESET, AVG Symantec, Microsoft, Intel and a variety of others, with the prime intention of disarming the localised security defences. In fact in the case of the earlier variant of the Rovnix agent, in 2014 that particular malicious circulation accounted for an estimated 130,000 infections of UK Windows computers, going on to also target Germany, Switzerland, Italy, Iran, Japan, and the US impacting financial institutions including Bank of America, Barclays, Citibank, HSBC, Lloyd's Bank, and JP Morgan.

One example of the malware delivery process for Vawtrak commences with a phishing email arriving, notifying the recipient that a package was delivered to them which is related to the receipt number contained in the malicious attachment. However, it is essential that the end-users and business do not get over focused and expectant on what the malicious delivery will resemble, as of course there are many other adverse mechanisms in play to create the opportunity to compromise a local asset. 

For instance, has seen recent samples of other abusive payloads arriving in word documents as attachments with the title of ‘invoice' - again creating the use of system-based social engineering to entice the unwary user to open the attachment, and to run malware to infect their computer.

Martin Heavens, of Optimise Direct, told “In the last 12 months I have seen an increase with the number of companies suffering infection and corruption by malware – in some case being the direct result of poor inventory processes which have left assets unprotected by anti-virus programs. I am also hearing many in the software licensing world comment that, some of their clients feel that anti-virus protection has passed its sell-by date, but there are none who are brave enough to not renew their anti-virus licences” 

Phil Smith, digital champion for the North West Cyber Security Magazine, told SC: “In the academic arena, and as part of our research we still see the implication of the computer virus/malware as one of the biggest threats faced by end users and businesses. Increasingly, criminals are using visible attacks from ransomware to disguise their underlying motives and data theft. They are also using these visible attacks to time incident response times of businesses so they can identify their window of opportunity for a new attack.”

“We are again seeing the successful criminal use of advanced malware being spread via a mix of malicious craftwork by the creators, the leverage of localised system capabilities and functionality – in this case PowerShell, conjoined with the ever increasing use of socially engineering the end user to take part in the lifecycle of infection. 

"The ultimate bottom line is however, no matter Rovnik, Vawtrak, or any other such malware agent in circulation, whilst we may be talking about anti-virus being dead, right now it is still an essential application to keep updated on our computer."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews