Banking Trojan Vawtrak (aka Neverquest or Snifula) which additionally uses the Pony module to steal wide range of log-in credentials has been proliferating rapidly over the last few months
USA, Germany, UK, Czech Republic are the top affected countries this year.
While Trojans like this are not new, what makes it remarkable is the the multi-layered concealing processes and wide range of functions it can execute.
The Vawtrak Trojkan spreads via drive-by download – in the form of spam email attachments or links to compromised sites or through malware downloaders such as Zemot or Chaintor or through exploit kits like Angler.
Tracking the Trojan Vawtrak, AVG has revealed a detailed analysis of its installation and functionality.
Installation
The trojan was delivered through a spam email from Amazon which contained link to a zip archive stored on a compromised Wordpress site. The delivered file which actually was a executable tried to simultaneously look as a pdf and a screen saver. It then installed itself into the system and ensured persistence by enabling auto-execution Windows start-up. Without causing visible changes in the system, it then dropped the DLL into the program folder and deleted its original version.
This shorter second DLL decrypts its payload, which looks like a normal Windows exe file but is a compressed file. The decompressed file replaces the second DLL and extracts the final module in a compressed format which further contains another two DLL files. The appropriate DLL then executes Vawtrak's main functionality.
Functionality
Once executed, Vawtrak disables antivirus protection of almost all known anti-viruses, steals multiple passwords from browsers (even obscure browsers such as K-Meleon or Flock) or applications, steals browser history, modifies browser settings, logs keystrokes, takes screenshots or records user actions on desktop, enables remote access to victim's system.
Further it communicates with remote Control & Command servers, executing commands from a remote server,
sending stolen information, downloading new versions of itself and web-injection frameworks.
One fascinating feature is that it can connect to the update servers hosted on the Tor hidden Web services via a Tor2web proxy without installing any special software such as
Tor browser. Moreover, the communication with the remote server is done over SSL, which adds
further encryption. Due to the use of steganography, the user remains totally ignorant of the working and updation of the Trojan.
Vawtrak is not as advanced as some others but its actions are too aggressive and they may cause stability or
performance issues in the infected machines.
Staying vigilant about online phishing and
scams is the most efficient way of avoiding Vawtrak but as it may still find its way, even without a user's direct interaction. So having an efficient and updated antivirus solution is of utmost importance.
For full analysis of the Trojan, read the complete report by AVG.
