Analysis of the malware by James Wyke, Senior Threat Researcher with SophosLabs UK, indicates that the people behind Vawtrak are targeting banks and other companies in a very methodical way in a number of countries, including some that aren’t commonly targeted by banking malware.
In his fascinating new research paper on the subject, Vawtrak – International Crimeware-as-a-Service, James enlightens us about the mechanics of this cybercriminal enterprise, and the steps taken by this crafty and deceptive malware as it steals account details and transaction tokens directly from victims when they visit the websites of their financial institutions.
Vawtrak has followed the success of previous financial bot malware like Zeus and Gameover to become one of the most popular crime kits around. Vawtrak’s owners are operating a highly successful business, running specific campaigns and adding new targets as demand requires.
Vawtrak was the second most popular malware distributed by web-based exploit kits (i.e., by malicious drive-by downloads) during September to November 2014, according to SophosLabs telemetry. It represented 11% of all malware SophosLabs saw distributed in this way during that time period.
Beyond its technical breakdown of the malware’s functions, James’s research paper is a must-read for anyone who wants to understand how modern financial cybercrime works and how it has become such a big threat. Download the full report here: Vawtrak – International Crimeware-as-a-Service.
Protection against Vawtrak
Vawtrak is an example of how dangerous malware can get around banks’ security by preying on unprotected users. Be cautious when banking online and make sure your computer and applications are patched with the latest security updates. In addition, endpoint protection software (antivirus) is a must.
It also spreads through spam messages that are designed to trick people into downloading malicious attachments, so never open an attachment you aren’t expecting.
Whenever possible, ask financial institutions to provide two-factor authentication. And be alert for suspicious behaviors, like being asked for information that you don’t normally have to provide when initiating an online transaction.
Sophos customers are protected against Vawtrak by our endpoint, server and network protection products.
About SophosLabs
SophosLabs is the global network of threat centers staffed by Sophos researchers and analysts. Keep up to date with our latest industry-leading research, technical papers, and security advice at Naked Security and the Sophos Blog.
Sign up for our newsletter by filling in your email address at the top right of the blog’s webpage. Follow us on your favorite social media networks, chat with us in our forums, download our informative podcasts, or sign up for our RSS feeds.