We have recently analyzed a Trojan called Trojan Vawtrak that has been making headlines again because its developers use it to target the computers of banks. It poses an undeniable security threat, so it has to be removed immediately. Nevertheless, it can be said that it might be configured to steal information not only from bank-based computer’s but ordinary home computers as well, provided that the cyber criminals find ways to monetize on the stolen information. Therefore, we dedicate this article to those who take online security seriously and those who already have been affected by this malware and seek to delete it.
Malicious applications are obviously distributed using deceptive methods. The more malicious the malware, the more sophisticated and cunning its distribution methods are. Like ransomware, this Trojan is sent in email spam that masquerade as emails from companies such has FedEx and American Airlines and the emails feature Word document attachments such as receipts and airline tickets. While collecting information about this Trojan we found that it used to target banks in countries that include Japan, the United Kingdom, Germany, and Switzerland. However, currently, this malware is set to target various banks located in the United States. The list of targeted banks includes Bank of America, Barclays, Citibank, HSBC, Lloyd’s Bank, and J.P. Morgan.
Our research has shown that Trojan Vawtrak’s developers use malicious macro downloaders to drop this Trojan on the computer’s of their victims. If you open the attached Word document, it will show you incomprehensible text. The text at the top, however, is readable, and its message says that “If you document have incorrect encoding – enable macro.” The use of incorrect grammar is an indication that something is not right. If you enable macros, then the text will be presented with the correct encoding. However, the developers want you to enable them not so that you could see the contents of the document, but to enable the present vulnerability and drop a batch file along with a .VBS file and a PowerShell script. The whole clandestine process of infecting your computer happens quickly, and you will not notice it. Furthermore, given the nature of this infection, you might not notice its presence at all.
The batch file has been configured to run the .VBS file that is prompted to run the PowerShell file which downloads Trojan Vawtrak. The use of batch, .VBS, and PowerShell files is motivated by the necessity to bypass the Execution Policy because this policy does not allow scripts to run if they do not meet the requirements. However, when the Execution Policy bypass is used, the system does not block anything and shows no warnings or prompts. As a result, this malicious application can infect your computer and proceed with its activities unobstructed.
The core function of Trojan Vawtrak is to steal sensitive information from your computer. This information includes a variety of data such as email credentials from email services like Microsoft Outlook and Windows Mail. Furthermore, it can interact with web browsers such as Chrome and Firefox and steal passwords and login names from their databases. Moreover, it is set to steal information from File Transferring Protocol (FTP) clients, and so on. Not only that, but it also steals information from targeted websites such as Facebook.com, Google.com, Gmail.com, and so on. So the information it can get hold of can be anything as this malware has access to everything on your computer. Therefore, it is not surprising that cyber crooks use it to steal information from bank-based computers.
Previously, Trojan Vawtrak was distributed using exploits, mainly the Angler exploit kit. Using macros to distribute malware is not something we see every day. Due to the nature of this distribution method, your PC may become or has become infected because it does not have anti-malware software to stop it. Note that you can delete this malware manually, but the folders that hide its files are named randomly, so you might have trouble locating this infection. If that is the case, then you might want to use SpyHunter to find the malware so that you could remove it on your own or allow the application to get rid of it for you.