Vawtrak's back: Multilayered banking Trojan reemerges

Heimdal Security researchers have found new cases of the nesting-doll financial malware, while Fortinet researchers peel back the layers to reveal its surprising intricacies.

The notorious banking Trojan Vawtrak has reemerged to target financial services companies with the multilayered...

complexity of a matryoshka doll, threatening enterprises with a variety of sophisticated tactics.

Denmark-based cybersecurity firm Heimdal Security discovered the recent spate of drive-by attacks in 15 financial institutions in Canada affecting more than 15,000 machines; Heimdal said the most recent version of Vawtrak was able to capture video and screenshots and used man-in-the-middle attacks to capture unencrypted traffic.

Because of its interdependencies and complexity, Fortinet Inc. researcher Raul Alvarez compared the Zeus-like banking Trojan's layered executables to a Russian nesting doll.

"Each 'doll' (executable binary) has its own set of algorithms and functions that leads to the unwrapping of the next one," Alvarez wrote in a blog post on Virus Bulletin. "Every binary (except for the last one) has an important role to perform in generating the next one."

The first executable binary (the outer doll) generates the second executable binary from its overlay section, according to Alvarez, and the second executable binary (the second doll) decompresses a big chunk of data to generate the third executable binary. The third executable binary (the third doll) uses its resource section to generate the final executable binary (the innermost doll).

"Layers one, two and three are like wrappers," Alvarez said. "They wrap the fourth layer [which] can be any other malware."

Alvarez explained that it is even possible to use another Vawtrak as the fourth layer. This layering can theoretically go on indefinitely, creating a sort of infinitely regressing turducken of financial malware.

Vawtrak has also been referred to by AVG Technologies Analyst Jakub Křoustek as a Swiss Army knife for its operators, due to the Trojan's wide range of features.

According to Křoustek's AVG white paper, Vawtrak supports the theft of multiple types of Internet-based or locally stored credentials; injection of custom code in user-displayed Web pages (for online banking); surveillance of the user (key logging, taking screenshots, capturing video); creating a remote access to a user's machine (VNC, SOCKS); and automatic updating.

Vawtrak first became prominent in Japan; after some downtime, it took hold in the U.S., Germany, the Czech Republic, the UK and Canada. Heimdel Security also reported that the command-and-control center of the attacks appears to be located in Russia. Vawtrak is delivered via download of favicon, a tiny jpeg image containing the virus.

"Vawtrak uses steganography to hide those update lists inside the favicons on the update servers," Křoustek wrote. "Therefore, the download does not seem suspicious at first sight. The size of each favicon is approximately 4 KB, but it is enough to carry an update file hidden in its least-significant bits."

Vawtrak is the latest example of complex botnets and sophisticated malware targeting financial institutions. The recent crackdown on well-known financial Trojans has inadvertently left the window open for innovative new financial malware like Vawtrak to spread, according to researchers at PhishLabs.

Next Steps

Find out how banking malware Carbanak cost nearly $1 billion in losses

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSecurity

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

ComputerWeekly

Close