Vawtrak is the security industry's name for the latest version the 64-bit compatible Gozi Prinimalka Trojan, a family of malware first conceived in the mid-2000's. Recently, PhishLabs’ R.A.I.D (Research, Analysis, and Intelligence Division) has uncovered new developments in the latest Vawtrak configurations that indicate it is a much more substantial threat than it was a few months ago.
What You Need to Know
It is clear that Vawtrak is an imminent threat expanding in complexity. Targets are growing outside the financial industry and geographic distribution continues to rise. Most noteworthy developments observed by PhishLabs’ R.A.I.D:
- Recent takedowns and disruptions of other major botnets positions Vawtrak to gain popularity in the cybercrime market.
- Original Vawtrak attacks primarily targeted financial institutions in Japan – recently observed configuration files extend attacks on social networks, online retailers, analytics firms, and game portals.
- Geographic distribution has been expanded to specifically target: U.S., Canada, the UK, Australia, Turkey, and Slovakia.
- Newer configurations of the Vawtrak botnet have advanced webinjects that enables the capture of additional personal information for exploitation of the victim’s account.
- More advanced data-hiding tactics mitigates detection of criminal activity.
As one arm of the syndicate recently scaled back attacks on targets in Japan, China, Australia, New Zealand, and other Far East countries, the core Russian crew ramped up large scale attacks on U.S. targets beginning approximately three months ago. In July, samples from the Russian crew's new operation were configured to use advanced webinjects attacks against as many as 64 targeted organizations' web sites, including financials, social networks, online retailers (including StubHub), analytics firms, and game portals.
Newer configurations are much more sophisticated than flimsy spam scripts running on hacked blogs. Our analysts are seeing the Vawtrak lures coming through Cutwail – the world's highest-volume spam-sending botnet, which means the attackers are spending serious real-world money to infect more banking customers. Besides targets with U.S. or international bases of operations, organizations in Canada, the UK, Australia, Turkey, and Slovakia are also specifically targeted.
Known Vawtrak Attacks
It is believed that the Vawtrak operation stole the information needed to fleece eBay's StubHub events ticket marketplace of USD $1.6 million, leading to arrests in the U.S., London, and Canada back in July 2014. Two criminals in Russia, believed to be vorVzakone and his partner, are still at large. The explicit StubHub attack instructions are still in the latest configuration. Over all, the Vawtrak operation seems unaffected by the arrests and continues at the same frenetic pace since its June 2014 re-emergence. In fact, with the void left by the demise of other botnets like Spy Eye, Shylock, and Gameover Zeus, it’s possible that the Vawtrak crew is poised to either scale up operations, or begin offering Vawtrak as crimeware-as-a-service (CaaS).
More recently, Vawtrak has been utilized in a new spam template injected into the Cutwail spamming botnet which abuses AT&T and DocuSign brands to divert victims to an exploit kit. Once exposed to the exploit kit, the threat lifts the credentials of a bank, which are then sent back to the attacker’s data drop. The hacker uses a virtual network computing server to take control of the compromised computer and logs into the bank account via the compromised computer to perform theft.
Modifications to Vawtrak Configuration
Since the StubHub arrests, the Vawtrak crew has modified configurations to evade authorities and increase the chance of success. The newest configuration being pushed to bots on August 28, 2014, represents major changes made over the last 30 days. Vawtrak’s advanced webinject capabilities are similar to other state-of-the-art banking Trojans, allowing it to modify data in web traffic, even if it has been secured with encryption. Vawtrak uses this capability to steal login credentials, automate fraudulent transactions inside online banking sessions, and inject addition form fields into legitimate web pages to gather additional information, such as social security numbers or PINs, for use in banking fraud and identity theft.
Another change recently incorporated into Vawtrak's webinject configuration sends information entered into the bogus fields directly to the criminals instead of the targeted online service's website. This means the bank or company being exploited can no longer look for instances where unsolicited information was being submitted, which would identify infected victims. The malware has been modified so that additionally injected forms are only submitted to the attacker’s data drop (along with all the other normal fields).This way, Vawtrak wipes its fingerprints off the web traffic, evading security controls used by targeted organizations designed to spot activity related to their users who have been infected with Vawtrak.
Sections for several targets show examples of changes made specifically for enhancing the new technique of not posting the extra/injected form fields to the targeted site. Now, instead of an alternative site name that might resolve and track the activity, latest configuration instructions tell Vawtrak to post the extra stolen data to URLs with a legitimate domain name, but an invalid host name. This name won't resolve to an IP address, so the data is never even sent over an HTTP connection where it might be discovered as an indicator of Vawtrak activity from an infected user.
Figure 1: This host and domain name still resolved, and form data was exposed via an HTTP request to Google
Figure 2: The new post URL has a trusted domain, but a host that will not resolve to an IP address, so it's never sent
Because it's an update for exiting bots, Vawtrak takes this form data-hiding strategy to an extreme, even deleting the fields it's already stolen from the configuration file, perhaps adding a new field the criminals need to raid accounts.
Figure 3: The Vawtrak crew stole all the entries for these sensitive items last month
Figure 4: The old form fields are gone, but hackers now need the voice menu PIN to raid some of those accounts
This strategy is similar to one implemented by the JabberZeus crew which leveraged a local proxy to scrub signs of additional injected form fields before being sent to websites of targeted financial institutions.
Figure 5: Despite arrests, StubHub targeting instructions persist in Vawtrak's latest configuration data
Vawtrak must not be ignored – custodians of the malware are investing time and resources to improve configurations that will increase stealth and added resistance to detection. As targets expand beyond the financial industry and into new geographic regions, organizations and consumers must be prepared for the impending threat.
How can consumers, marketplaces and brands protect themselves against campaigns like Vawtrak?
Security events that attempt to take over consumers’ accounts occur by the millions each day. Unfortunately, the cybercriminal utilizes a variety of attack tactics to obtain credentials and gain access to accounts. Tactics include targeting by emails (phishing), phone (vishing), text messages (SMiShing), spoof mobile apps, and crimeware such as the Vawtrak malware.
Figure 6: The cybercriminal’s infrastructure is expansive, pinging victims through a variety of vehicles.
Account takeover occurs when cyber criminals obtain an individual’s personal information such as an account number, password, username or social security number and uses that information to assume control of the individual’s account. Once accomplished, the cybercriminal seeks to conduct transactions such as transfers of money without the victim knowing what has occurred. A critical defense against such attacks is awareness. Download our recent whitepaper to protect yourself or your brand from being the victim of account take over schemes.