Tracking VAWTRAK's Evolution

Written by: Ryan Angelo Certeza

VAWTRAK is a family of online banking malware. It was first spotted in August 2013 as an information stealer. It arrived as a ZIP file attachment in a socially engineered spam mail disguised as package delivery notifications. It stole stored information from FTP clients, as well as log-in credentials. In November 2013, reports of an online banking Trojan made rounds in the industry because of its capacity to spread at a rapid pace in a short span of time. In May 2014, VAWTRAK was seen targeting online banking users in Japan.


Fast forward to 2015, we saw two resurgences of VAWTRAK: The first was seen in February 2015 and the second was in March 2015 with which two variants spawned from each evolution. This Web attack report will focus on these two.

What are the organizations being targeted by the new variants of VAWTRAK?

The May 2014 resurgence of VAWTRAK targeted financial institutions in Japan. In 2015, the latest iterations of VAWTRAK pursued the following targets:
  • Banks and financial institutions in the U.S. (February)
  • Banks, financial institutions, and credit unions in Canada (March)
In the analysis of VAWTRAK’s current infection count from January to March 2015, we find that the top countries affected are the U.S., Japan, and Germany.

How did these new variants of VAWTRAK arrive onto users systems?

These new variants, i.e., the ones seen in February (BKDR_VAWTRAK.LNY/BKDR_VAWTRAK.DOKR) and March (BKDR_VAWTRAK.YXG/BKDR_VAWTRAK.VTJ), both arrived onto users’ systems through spammed mails that use shipping notifications and airline ticket transaction emails as bait. The difference is that the February variants arrive as a final downloaded payload of a macro malware attachment, while the March variants arrive through a link embedded in the spammed mail that points to a zipped file in a compromised site.

The February variants can also find their way onto user’s systems through malvertisements hosted on legitimate sites and compromised websites.

What makes these new variants notable?

The February variants of VAWTRAK are notable due to their abuse of macros and Windows PowerShell, as well as their capacity to steal social media log-in credentials. The abuse of these features signify that cybercriminals are looking to enhance their malicious creations’ ability to slip past security solutions; PowerShell is a scripting tool not commonly used by cybercriminals (and thus may slip past IT administrators’ radar). Macros, meanwhile, allow the malicious code “locked away” via a password, which impedes cybersecurity efforts.
The March variants, on the other hand, are to take note of because of their new repertoire of evasion techniques:
  • The configuration files are downloaded from various C&C servers. These downloaded as encrypted icons. When decrypted, these contain the C&C information. This is done to bypass network appliances that may detect the traffic as malicious.
  • The callback communication of the variant to its C&C server is encrypted, through the use of Tor2web URLs to access the C&C server itself. This allows the variant to connect and use the Tor network without having to install the required browser.
These new tricks, combined with the information theft routines inherent in every VAWTRAK strain, continue to make this malware family a considerable threat in securing a system.

What is the impact of VAWTRAK to users and organizations?

VAWTRAK infection can cause monetary losses to both users and organizations due to its information-stealing capabilities. Organizations have much more to lose because the information-stealing techniques of VAWTRAK can also capture critical customer data and company secrets.

Are Trend Micro users protected from this threat?

Yes. Through the Trend Micro™ Smart Protection Network™ with its three-fold correlation engines, VAWTRAK, together with all its variants, components, and related spam/elements, is blocked from systems with Trend Micro solutions installed.

What can users do to prevent these threats from affecting their computers? What should they do if they suspect infection?

Users can protect themselves by adhering to the following best practices:
  • Delete any suspicious-looking emails you receive, especially if they sport links and/or attachments. Don’t even open them. Just delete them.
  • Bookmark online websites that you frequently log into, such as social media, online shopping, and online banking sites). This is to avoid going to phishing websites through typographical errors in the URL.
  • Install a security solution that also covers email in its protective scope. This should remove the chance of you accidentally opening malicious email/malicious attachments in the first place.
  • If you suspect VAWTRAK infection, immediately change your online banking account passwords using a different, and hopefully uninfected, system. Immediately call your bank so they can be on the lookout for any fraudulent transactions related to your account taking place. Do the same for any account that you may have accessed using your infected system.