[email protected] +603-2181 3666
All IT News eConfirm.my
IT News
Vawtrak (aka Neverquest) Banking Trojan
March 26, 2015 By aatech
0

The infamous Vawtrak banking Trojan has reared its ugly head with new features that make it more dangerous than it previously was.  It allows data to be sent and received data through encrypted favicons (see Definition) via the secured Tor network, which is a hidden web service.

Why it become so dangerous? It’s because the malware is capable of stealing financial information and executing transactions form compromised computers remotely without leaving any traces.  Very stealthy, indeed. Furthermore, it can capture videos and screenshots and launch Man-in-the-Middle (MitM) (see Definition) attacks.

Well know antivirus company, AVG discovered that Vawtrak gains access into bank accounts which victims have accessed.  It uses the famous Pony module in order to steal a wide range of victims’ login credentials.  (Pony is a malware that steals sensitive information & drop additional malware onto a victim’s machine).

Vawtrak spreads in three ways:

  • Drive-by download – from spam email attachments or links to compromised websites
  • Malware downloader – like Zemot or Chaintor
  • Exploits kits – like Angler Exploit Kit

As s researcher from AVG says, “Of particular interest from a security standpoint is that by using Tor2web proxy, it can access update servers that are hosted on the Tor hidden web services without installing specialist software such as Torbrowser.  “Moreover, the communication with the remote server is done over SSL, which adds further encryption.

Vawtrak hide update files within favicons in order to conceal malicious downloads.  It uses steganography (see Definition) to do this.

Once it infects a victims computer, it will perform the following:

  • Disable antivirus protection
  • Inject custom code in a user-displayed web pages (this is mostly related to online banking)
  • Steal passwords, digital passwords, browser history, and cookies
  • Perform surveillance of the victim’s computer (key logging, capturing screenshots and videos)
  • Creates remotes access to the compromised computer
  • Automatic updating

Vawtrak operate in the three major browsers – Internet Explorer, Firefox and Google Chrome.  It also has the ability to steal passwords from other browsers.

The Trojan currently infecting banking, gaming and social networks users mainly in the following countries – UK, USA, and Germany.  Users in Australia, New Zealand, and across Europe are also affected.

To put this Trojan in perspective, AVG said, “Vawtrak is like a Swiss Army knife for its operators because of its wide range of applications and available features.” A very versatile Trojan, indeed.

Recommendation

  1. DO NOT open email attachments from unknown sources or emails that appear to be legitimate but suspicious.
  2. BACK UP is very crucial.  Important data to be regularly backed up onto external media.
  3. Be aware of phishing scams.  If you receive emails, requesting personal information or asking you to follow a link contained therein, stop and think.  Though the email may seem legitimate, you have to be cautious.
  4. Don’t use the links in an email, instant messenger or chat to enter a website. Always type the URL of the website on your browser’s address bar to get into a website.

Definition

  1. Favicons (favourite icon) – small images used by the websites to add icon to website bookmarks and browser tabs.
  2. Man-in-the-Middle – a form of eavesdropping where communication between two users is monitored and modified by an unauthorized party. In other words, the attacker attempts to intercept, read or alter information moving between two users / computers.
  3. Steganography – the practice of hiding a message within a larger one in such a way that others are not aware of the presence or contents of the hidden message.

Source

  1. The Hacker News