A new version of a deceptive banking malware has been responsible for a series of attacks on financial institutions in many countries around the world in the past year, SophosLabs reports in a new research paper.
Vawtrak (also known as NeverQuest and Snifula) has been around for a few years now, yet it continues to thrive as a popular crimeware-as-a-service kit used by a variety of cybercriminal groups.
SophosLabs analysis of what we are simply calling Vawtrak version 2 shows the malware authors have introduced new innovations, while making frequent updates to meet demand and stay ahead of defenses.
SophosLabs has seen Vawtrak version 2 spreading by phony emails claiming to be shipping delivery notices; and Vawtrak being dropped onto computers already infected by the Pony malware.
In the time since our previous research paper on Vawtrak, new banks and countries have been targeted, with several campaigns in countries including the United States, Canada, United Kingdom, Japan, and Israel, with the US being the largest target.
In our earlier analysis of Vawtrak, Germany and Poland were the top-targeted countries, but we did not see significant activity in those countries using version 2.
This change in geographic targets could indicate that Vawtrak’s crimeware customers are no longer interested in those countries, but it’s also possible that SophosLabs did not see configuration files for those missing countries due to server-side checks such as a Geo IP lookup of the victim IP address.
Innovations in Vawtrak version 2
The developers of Vawtrak have invested significant efforts to improve the malware in version 2, complicate defenses, and frustrate security researchers.
According to SophosLabs, Vawtrak version 2 includes some updates that break existing tools used to analyze the malware:
“These changes involve increased levels of obfuscation and changes to the encryption used. … [T]he motivation for the change would appear to be an attempt to temporarily break existing tools that may implement the algorithms used by previous Vawtrak samples.”
SophosLabs also discovered that the Vawtrak authors made version 2 leaner with a smaller footprint for the initial payload used for infection. This leaner version of Vawtrak could allow the authors to introduce advanced features to be added and deployed as modules to select victims, according to SophosLabs.
For a more technical analysis of Vawtrak version 2 and additional research insights into this persistent threat, download the SophosLabs research paper.
SophosLabs is the global network of threat centers staffed by Sophos researchers and analysts.