Vawtrak Banking Trojan

Vawtrak is a banking trojan malware that when infected uses the Virtual Networking Computing (VNC) channels to remote access and it creates Socket Secure (SOCKS) proxy servers for the communications of the user’s computer.

Threat ID:: CC-1898
Category:
Threat Severity:: Medium
Threat Vector:
Published:: 4 January 2018 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - all versions
Microsoft Internet Explorer – all versions
Google Chrome – all versions
Mozilla Firefox – all versions
Microsoft Edge – all versions

Threat details

Taking screen captures, operating the webcam, making changes the browsers (which can lead to getting banking details) and storing settings into the encrypted registry keys are all possible once the malware has been executed.

The sole purpose however is to gain access the bank accounts visited by the compromised device. It uses components of the Pony malware allowing for easier extraction of login details from the browser along with secure keys and anything else they may need to use to get this information.

Infection via phishing has been known to impersonate popular sites like Amazon but put a link to a compromised WordPress website, hidden through the link portion of the HTML code which is used to present a hyperlink within HTML.

Threat updates

Date	Update
5 Jan 2018	Vawtrak is now being offered on the dark web as a ‘Malware-as-a-Service’ where malicious users can rent the capabilities. It has been used in spam campaigns like the original version using Pony infostealer to perform reconnaissance then collecting data of value that. The previous version of Vawtrak targeted banks in Germany, Poland, Japan, the US, Saudi Arabia, UAE, Malaysia, Portugal, Spain, and the UK, but that has changed. Vawtrak version 2 added more countries to target such as Canada, Israel, Romania, the Czech Republic, and the Republic of Ireland, with improvements towards the UK, US, and Japan.

Date

Update

5 Jan 2018

Vawtrak is now being offered on the dark web as a ‘Malware-as-a-Service’ where malicious users can rent the capabilities. It has been used in spam campaigns like the original version using Pony infostealer to perform reconnaissance then collecting data of value that. The previous version of Vawtrak targeted banks in Germany, Poland, Japan, the US, Saudi Arabia, UAE, Malaysia, Portugal, Spain, and the UK, but that has changed. Vawtrak version 2 added more countries to target such as Canada, Israel, Romania, the Czech Republic, and the Republic of Ireland, with improvements towards the UK, US, and Japan.

Remediation advice

To prevent and detect a trojan infection, ensure that:

Remediation steps

Type	Step
	A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. All operating systems, antivirus and other security products are kept up to date. All day to day computer activities such as email and internet are performed using non-administrative accounts. Strong password policies are in place and password reuse is discouraged. Network, proxy and firewall logs should be monitored for suspicious activity. User accounts accessed from infected machines should be reset on a clean computer.

Type

Step

A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
All operating systems, antivirus and other security products are kept up to date.
All day to day computer activities such as email and internet are performed using non-administrative accounts.
Strong password policies are in place and password reuse is discouraged.
Network, proxy and firewall logs should be monitored for suspicious activity.
User accounts accessed from infected machines should be reset on a clean computer.

Last edited: 17 February 2020 12:56 pm