Fake DocuSign Notification Leads to VAWTRAK

 Analysis by: Michael Angelo Casayuran

We recently came across mail samples that appear to be a DocuSign Notification from AT&T. It informs recipients to download and sign a supposedly document via the provided link in the email message. Once unsuspecting users click the URL, they will be redirected to a bogus website specifically crafted to look like a legitimate docusign portal. The fake website shows that the file that will be downloaded has a .PDF extension. In actual, the downloaded file is a .ZIP file, which contains an executable file detected as BKDR_VAWTRAK.YAB.

When executed, BKDR_VAWTRAK.YAB executes several commands on the infected system thus compromising its security. In addition, it also steals stored account information used in certain installed File Transfer Protocol (FTP) clients or file manager software. Based on our investigation, majority of the affected users are from the United States.

Users are advised to be wary in opening email messages even if it supposedly came from a known source. It is also advisable to install a security solution that can detect the spammed email message and malware.

 SPAM BLOCKING DATE / TIME: August 29, 2014 GMT-8
  • PATTERN:0914