The malware known as Vawtrak is a banking Trojan which has increased in sophistication since its inception more than eight years ago. Systems infected with Vawtrak become part of a botnet managed by a Russian cybercrime gang who operate a Cybercrime-as-a-Service enterprise based on selling botnet access and support to their clients.
PhishLabs’ researchers have observed Vawtrak being deployed and utilized in an increasingly aggressive manner, with new versions being released approximately every month. Version 0x3B was first observed by PhishLabs on January 29, 2015.
Vawtrak configurations contain targeting information. Configurations vary based on the "Project ID," one or more of which may be assigned to a client of the cybercrime service. Previously, configurations were generally grouped together based on targeting and associated with four major clients of the cybercrime service. Some configurations are small or lean, indicating they are used for testing, focused recon, or targeted attacks. Between last month's previous version 0x3A and the most recent version 0x3B, PhishLabs observed the number of targets increase between 10% and 100% among similar configurations associated with separate client profiles/Project IDs.
In previous versions, the number of C2 (command and control) servers embedded into the malware itself averaged around four, and never more than eight. Samples of the latest 0x3B version of Vawtrak have as many as 28 pre-programmed C2 servers. Typically, only a couple of the listed C2 servers are actually active at any given time. However, this significant increase could be an indication that the Vawtrak operators are enhancing the robustness of their cybercrime infrastructure and attempting to increase botnet availability. One or more specific plans or goals could be the basis of this increase, including:
- Making it more difficult for researchers and investigators to track botnet activity.
- Making the processes of completely shutting down a Vawtrak campaign significantly more time consuming.
- Limiting exposure to risk and overall operational impact associated with the successful takedown of any particular C2 server.
- Preparation for an expected large increase in business, including taking on a large number of new clients.
Actual banking losses due to Vawtrak are not known and are not always attributable. However, it could be confidently concluded that increasing losses are fueling this aggressive increase in Vawtrak activity.