Security researchers from SophosLabs have detected Vawtrack v2 in a series of attacks that targeted banks in countries where the trojan wasn’t previously active.
Vawtrack, also known as Snifula or NeverQuest, is one of today’s most popular banking trojans,according to Symantec. The trojan is offered as a rentable service on the Dark Web in the form of a Malware-as-a-Service offering. Many different criminal groups rent Vawtrack, and each distributes it via its own methods.
In a report released last week, SophosLabs revealed it detected a new campaign using spam email claiming to be shipping deliveries. These emails contained boobytrapped Word documents that asked the user to enable macros.
Crooks use Word macros to deliver Pony and then Vawtrack v2
Activating Word’s macro feature would trigger a set of automated scripts that download and install the Pony infostealer malware. Crooks use this malware for local reconnaissance, and if they found data of value that could be stolen, they would then deliver the Vawtrack v2 trojan.
The researchers noted that compared to v1, v2 added support for new targets. Vawtrack v1 is known to have gone after banks in Germany, Poland, Japan, the US, Saudi Arabia, UAE, Malaysia, Portugal, Spain, and the UK.
In v2, Vawtrack’s authors also added support for Canada, Israel, Romania, the Czech Republic, and the Republic of Ireland. Additionally, Vawtrack also added new targets for previously supported countries such as the UK, the US, and Japan.
Vawtrack v2 is now harder to reverse engineer
But SohposLabs didn’t consider these new Vawtrack WebInject modules to be the most important change added to Vawtrack v2. The security firm says the trojan is now much smaller on disk and features a modular architecture that allows its criminals to send new modules to each infected target, expanding its feature set.
Furthermore, Vawtrack v2 has been hardened against reverse engineering operations typically carried out by infosec researchers. SohposLabs says v2 broke a lot of security tools used to analyze malware.
The usage of increased levels of obfuscation and changes to the trojan’s encryption has greatly delayed analysis of this trojan.
Vawtrack’s business is alive and well
“The new version of Vawtrak shows that the botnet is very much alive, with active developers and a thriving customer base,” SophosLabs noted. “The pace with which new build versions are introduced shows that product releases are happening frequently.”
The company also notes that Vawtrack’s owners are constantly adding new C&C servers to their infrastructure, which hints to the fact they’re operating a booming business.
Readers interested into SophosLabs’ technical report on Vawtrack v2 can download it from.