Cybercriminals aim at the US, set about 64 targets in config file

Sep 4, 2014 13:41 GMT  ·  By

A new version of Vawtrak, a banking malware also known as Neverquest that evolved from the Gozi family, has been discovered by researchers to sport changes added in the last month.

With the new features, Vawtrak operators also expanded the list of targets and no longer focus mainly on victims from Japan, but affect computers in the US, Canada, the UK, Australia, Turkey, and Slovakia, too.

Researchers from PhishLabs found that the attacks started about three months ago, aiming at US users. Samples from July featured advanced web injects for the sites of about 64 entities, which include financial institutions, social networks, online retailers, analytics firms and game portals.

Don Jackson, Director of Threat Intelligence at PhishLabs, says that the newest configuration has been delivered to the bots on August 28 and features capabilities comparable “to other state-of-the-art banking Trojans.”

It relies on the man-in-the-browser (MiTB) attack technique to modify information in web traffic, regardless if it has been secured through encryption or not.

Apart from stealing credentials, the range of features includes automating fraudulent transactions in online banking sessions, as well as injecting form fields in legitimate pages to collect different information from the user.

The latest configuration of the malware sends the information captured via bogus fields in legitimate sites directly to the systems controlled by the cybercriminals, which prevents identification of the victim.

“Now, instead of an alternative site name that might resolve and track the activity, latest configuration instructions tell Vawtrak to post the extra stolen data to URLs with a legitimate domain name, but an invalid host name. This name won't resolve to an IP address, so the data is never even sent over an HTTP connection where it might be discovered as an indicator of Vawtrak activity from an infected user,” writes Jackson in a company blog post.

It is clear that Vawtrak is a malicious project that benefits from plenty of investment designed to make it stealthier when extracting data from the compromised computer, ensuring persistence.

The fraudulent activity is performed by the crooks remotely, by logging into the bank account straight from the affected system.

The security researcher says that delivery of the malware has been observed to be done through Cutwail, a botnet primarily used for sending spam.

Victims receive a message generally purporting to be from AT&T, informing that a document needs to be signed. The link to the file steers the unsuspecting user to a page serving an exploit kit used to install Vawtrak.