Written by: Danielle Anne Veluz

VAWTRAK first made the rounds via attachments to fake shipping notification emails in August 2013. The attachment was actually a ZIP file that contained a malicious file, detected as BKDR_VAWTRAK.A, which was initially known for information theft from FTP and email clients. This 2013 variant stole credentials from several Windows email clients, however, more recent VAWTRAK variants have expanded their capabilities to include a wider range of theft. Among these capabilities were banking Trojan routines such as stealing banking credentials and credit card information.

What is the VAWTRAK malware family?

VAWTRAK is a family of online banking malware. It was originally spotted in August 2013 for its information theft routines but more recent variants are known to steal banking credentials, more prominently in Japan.

Why is VAWTRAK noteworthy?

VAWTRAK is noteworthy because its routines have vastly "improved" from simple information theft to stealing banking data from certain banking institutions in Japan. VAWTRAK is also notable because its routines make malware cleanup difficult. VAWTRAK restricts users from running files related to antivirus software by adding specific registry entries to infected systems. It checks for various security software (including Trend Micro products) and downgrades the software privileges to render the antivirus capabilities ineffective.

Despite its routines, VAWTRAK’s malware behavior is not particularly innovative. Stealing FTP credentials are similar to the FAREIT malware. VAWTRAK is also similar to ZBOT as it has a configuration file, which contains code for web injection and a list of sites it monitors. Another major reason why VAWTRAK is notable is that it managed to target four major banks and five credit card companies based in Japan. These sites then lead to the Angler Exploit Kit, which leads users to various Flash and Java exploits used to install VAWTRAK in systems.

How widespread are VAWTRAK variants in Japan?

Data from the Trend Micro™ Smart Protection Network™ in the pie chart above shows that most of the VAWTRAK infections are found in Japan. The United States and Germany trail far behind. The increase in banking malware that target banks in Japan can be attributed to the increase in information stealing malware such as TSPY_AIBATOOK that have added capabilities allowing the malware to steal banking credentials.

What are the notable VAWTRAK variants?

Some of the more notable VAWTRAK variants include BKDR_VAWTRAK.PHY, BKDR_VAWTRAK.SM, and BKDR_VAWTRAK.SMN. A common malware routine for these variants involve checking for the presence of certain security-related directories in the Program Files and Application Data folders. These security products include the following:

  • a-squared Anti-Malware (now Emsisoft Anti-Malware)
  • a-squared HiJackFree (now Emsisoft Anti-Malware)
  • Agnitum
  • Alwil Software
  • AnVir Task Manager
  • ArcaBit
  • AVAST Software
  • AVG
  • Avira
  • BitDefender
  • BlockPost
  • Doctor Web
  • DefenseWall
  • ESET
  • f-secure
  • FRISK Software
  • G DATA
  • K7 Computing
  • Kaspersky Lab
  • Lavasoft
  • Malwarebytes
  • McAfee
  • Microsoft Security Essentials
  • Norton AntiVirus
  • Online Solutions
  • pTools
  • Panda Security
  • Positive Technologies
  • Sandboxie
  • Security Task Manager
  • Spyware Terminator
  • Sunbelt Software
  • Trend Micro
  • UAenter
  • Vba32
  • Xore
  • Zillya Antivirus

Once VAWTRAK finds any of the above-mentioned security software installed, it creates the following registry entries to force the antivirus installation to run under restricted user privileges:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\
CodeIdentifiers\0\Paths\{generated GUID for the AV software}
ItemData = "{AV software path}"

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\
CodeIdentifiers\0\Paths\{generated GUID for the AV software}
SaferFlags = "0"

What are its main routines?

VAWTRAK’s main routines include backdoor commands, such as keylogging and capturing screenshots. It also steals FTP credentials and stored email credentials, as well as data from Internet browsers. VAWTRAK also tracks data that contains banking and credit card information.

How will I know if my system is infected?

Users will know that their systems are infected if there is an existing {random filename}.dat or {All Users Profile}\Application Data in the ProgramData folder. The .DAT file is actually a .DLL file present in the autorun registry.

Another symptom for VAWTRAK infection is users’ inability to run antivirus-related processes. VAWTRAK adds policy-related registries that restrict users from running files under antivirus-related folders.

How does a typical VAWTRAK infection chain look like?

Below is a sample infection chain that shows how VAWTRAK arrives on a system via a Java.exe file that originates from a malicious or compromised site. The .DAT file is actually a .DLL and the final payload, aka, the VAWTRAK malware.

VAWTRAK system arrival via java.exe

Here is another sample infection chain that shows how VAWTRAK arrives on a system, this time using a Flash.ocx file that leads to the final payload, a .DAT file that is actually a .DLL (VAWTRAK).

VAWTRAK system arrival via Flash11e.ocx

How do I protect myself from VAWTRAK?

Users are advised to disable or uninstall browser plugins such as Java, Adobe Flash, and Adobe Reader if they are not needed. Since the attacks illustrated in the infection chains above originated from and involved certain software, it is always best to minimize the risk of infection by applying software patches and keeping systems up-to-date. Cybercriminals may utilize vulnerabilities and system bugs should these holes be uncovered and exploited.

Lastly, users must be sure to only visit legitimate banking websites to lessen the risk of clicking fraudulent links embedded in emails or spammed messages.

Does Trend Micro protect users from this threat?

Yes. Trend Micro products detect and delete VAWTRAK variants via the Smart Protection Network’s file reputation services. Web reputation services blocks access to the domains where VAWTRAK variants connect to.

FROM THE FIELD: EXPERT INSIGHTS

"We may continue to see VAWTRAK in the wild since its newer, specialized routines may lead to complicated cleanup solutions. There are definitely clear signs of VAWTRAK further advancing and improving. Newer variants now have features such as having a configuration file that contains the banking and credit card institutions which it monitors. The older arrival vectors were just spammed messages, but now VAWTRAK is seen to arrive via Java exploits." –Jimelle Monteser, threat response engineer

"The VAWTRAK threat is ultimately a threat toward all people who utilize online banking. Since online banking has gone mainstream for a large percentage of users, ranging from home users to enterprises, VAWTRAK poses grave a threat to all." –Rhena Inocencio, threat response engineer