Double whammy as UK users hit by banking and ransomware

News by Tim Ring

The new TorrentLocker ransomware and long-established Vawtrak/Neverquest banking malware have both started targeting UK users.

TorrentLocker, which first surfaced in Australia three weeks ago, has now turned its sights on the UK, says security firm ESET, infecting and encrypting computers via a fake Royal Mail package-tracking phishing email, then demanding a bitcoin ransom of £350 if paid within 24 hours or £700 otherwise to unlock them.

ESET malware researcher Marc-Etienne M.Léveillé said in a 4 September blog that TorrentLocker's web server is hosted and hidden on the Tor network, adding: “To make it is easy for victims to access the web page, TorrentLocker is giving links to Tor2Web nodes so they don't have to install additional software to reach the website.”

ESET reports that since March, one bitcoin wallet associated with TorrentLocker has transferred more than 82,000 bitcoins - valued at a staggering £24.5 million.

The company explains: “This wallet has been associated with other scams in the past, including wallet stealing and selling fake mining hardware. We do not know if this account is owned by the TorrentLocker gang or it is some kind of exchange service used by different groups.”

M.Léveillé told via email: “The TorrentLocker campaign started at the beginning of August, but this particular wallet has been active since March, so it is definitely not only money paid by the TorrentLocker victims.”

He added that while ESET believes TorrentLocker attacks are currently limited to the UK and Australia, “the malicious actors are likely to target new countries to expand their potential victims. Whatever postal service you use, getting tracking information of a package should not require downloading or opening any files. Information should be right there in your internet browser. Also, if you don't expect a package, you shouldn't click on links that appears to be from a postal service.”

TorrentLocker was first revealed by US cyber threat intelligence firm iSIGHT Partners in mid-August, deliberately mimicking more feared ransomware brands like CryptoLocker and CryptoWall.


Meanwhile, security firm PhishLabs reports that the Vawtrak banking Trojan, which has been around since the mid-2000s, has recently moved from attacking mainly financial institutions in Japan, to targets in the UK, US, Canada, Australia, Turkey and Slovakia.

The new attacks, which began three months ago, have also broadened out to hit industries like social networks, online retailers, analytics firms and game portals.

The malware has also been beefed up so that the criminals can capture more personal information on the victim.

PhishLabs director of threat intelligence, Don Jackson, said in a 3 September blog: “It is clear that Vawtrak is an imminent threat expanding in complexity. Targets are growing outside the financial industry and geographic distribution continues to rise.”

Jackson estimates the total current number of Vawtrak infections at 100,000 to 300,000.

The newest configuration of the malware (also known as Neverquest or Gozi), which was pushed to bots on 28 August, has advanced webinject capabilities that enable it to modify data in web traffic, even if it has been secured with encryption.

Jackson said: “Vawtrak uses this ability to steal login credentials, automate fraudulent transactions inside online banking sessions, and inject additional form fields into legitimate web pages to gather additional data such as social security numbers or PINs, for use in banking fraud and identity theft.”

Vawtrak is believed to have been used to breach eBay's StubHub events ticket marketplace, which resulted in the loss of around £1 million and seven arrests in the US, London, Spain and Canada in July.

In his blog, Jackson said two criminals in Russia, believed to be ‘vorVzakone' and his partner, are still at large and added: “The explicit StubHub attack instructions are still in the latest configuration.”

Jackson said: “Overall, the Vawtrak operation seems unaffected by the arrests and continues at the same frenetic pace since its June 2014 re-emergence.

“In fact, with the void left by the demise of other botnets like Spy Eye, Shylock and Gameover Zeus, it's possible that the Vawtrak crew is poised to either scale up operations, or begin offering Vawtrak as crimeware-as-a-service (CaaS).”

He concluded: “Vawtrak must not be ignored. Custodians of the malware are investing time and resources to improve configurations that will increase stealth and added resistance to detection. As targets expand beyond the financial industry and into new geographic regions, organisations and consumers must be prepared for the impending threat.”

Commenting on the spread of Vawtrak/Neverquest, Lamar Bailey, director of security R&D at Tripwire, told via email: “Malware never dies, it just evolves to elude the current detection algorithms.

“Neverquest has evolved yet again and infections are on the rise meaning baking accounts are draining. The malware infects a computer/laptop and monitors web traffic looking for financial sites, then kicks into high gear stealing credentials and money.

“Another part of the malware can even infect mobile phones so that it can intercept SMS messages from financial intuitions to approve money transfers.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews