Vawtrak Malware Takes A "Crimeware-As-A-Service" Approach

By Cheryl Knight, contributing writer

The dangerous banking trojan Vawtrak continues to make the rounds online. The main goal of the malware is to harvest online login credentials for various financial institutions, injecting a dynamic-link library (DLL) file into the browser process, making it easier for the Vawtrak program to first initiate a transfer out of the victim’s account and then hide any evidence that the transfer occurred.

A Sophos white paper, “Vawtrak – International Crimeware-as-a-Service,” explains this malware in more detail.

How Infection Occurs

Vawtrak uses a variety of avenues to infect a computer. The first is as part of a spam campaign disguised as communication from a financial institution requesting that you open an attachment. The attachment contains and exe file that then proceeds to install the Vawtrak malware when executed.

Another often used method of installation of the Vawtrak trojan is through an exploit kit (EK). This method uses websites that have become compromised and redirects users to an EK landing page. The landing page attempts to exploit vulnerabilities in the user’s browser to load Vawtrak onto the user’s computer.

Typical Targets

According to a Security Week article, the Vawtrak malware goes after customer accounts for banks all over the world. Some of the countries that suffer the most from these attacks include Germany, Poland, and the U.S. In addition to banks, Vawtrak directs its efforts toward companies from a selection of industries typically unassociated with organizations that most banking malware targets, including social networks, gaming portals, and online retailers.

The Sophos report further states, “It’s evident that the Vawtrak operators are setting up the botnet to deliver Crimeware-as-a-Service, rather than following a more traditional kit-selling model that older families, such as Zeus or SpyEye, once employed.”