Vawtrak banking malware – know your enemy

In December 2014, SophosLabs published a paper entitled Vawtrak – International Crimeware-as-a-Service, explaining how cybercriminals have adopted the “Pay As You Go” model that has become so popular in the mainstream technology industry.

Cybercrooks have provided services to one another for years, for example by trading spamming lists, writing malware programs to order, and finding and selling vulnerabilities.

But once you’ve provided another bunch of crooks with your malware source code files, or with access to your mailing lists, you can’t easily control what they do with them.

What’s often referred to as Crimeware-as-a-Service, or simply CaaS, has changed all that.

CaaS crooks keep their malware to themselves, along with automated tools for generating new variants, techniques for rapidly customising the malware payloads, and the network that they use to push out infected files to potential victims.

Instead of selling the malware itself, they sell a malware delivery service on agreed terms, for example: N passwords stolen from X users of bank Y in country Z.

Simply put, CaaS “customers” in the cybercriminal underworld pay for results, without having to worry about, or even to understand, the technological tricks needed to mount a successful malware attack.

As SophosLabs concluded in 2014:

This model allows specialisation. Aspects of the operation can be divided into distinct areas that expert members of the team can work on independently. For example, German language web injects can be handled by German speaking team members; code that is designed to bypass two-factor authentication can be written by a different team than more simple code that asks for extra information not normally required, and the stolen data can be similarly divided.

Web injects explained

Web injects are a sneaky trick used in banking-related malware like Vawtrak to steal sensitive user data.

Traditional phishing attacks try to lure you to fake banking sites in the hope that you’ll enter confidential data where it will be stolen.

Web injects, on the other hand, wait for you to visit a genuine banking site, so that all the security indicators in your browser are correct.

At the last moment, the malware modifies the web pages from the genuine website, altering them in memory after they’ve been decrypted and authenticated, but just before your browser displays them.

This means the malware can grab secrets such as passwords by presenting you with fake fields on otherwise legitimate pages on legitimate websites – an altogether harder trick to spot than traditional phishing.

Has ransomware taken over?

Nevertheless, for all the deviousness of banking malware, recent security news has been dominated by ransomware.

Ransomware hits hard and fast, and leaves you facing an immediate and unavoidable decision: “To pay or not to pay?”

As a result, you might be forgiven for assuming that web injects and banking malware were on the wane.

That would be a dangerous mistake.

Vawtrak 2 – Know Your Enemy

The Vawtrak gang is not only still going strong, they’ve evolved their malware, allowing their Crimeware-as-a-Service “customers” to target more victims at more banks in more countries.

So much so that SophosLabs researchers have written a follow-up report with a raft of new details:

Since our previous analysis of the Vawtrak banking malware , there have been several important updates to the code and to the financial institutions and organizations being targeted. There have also been several widespread campaigns that have been utilized with great success to spread the new version of Vawtrak.

Read the report yourself for a fascinating insight into Crimeware-as-a-Service, 2016-style.

Learn how cybercrooks think…

…and, better yet, to paraphrase Sun Tzu, learn to Know Your Enemy.