Security experts from the cyber threat intelligence firm Blueliv have conducted a technical investigation on the banking Trojan Vawtrak v2 and activities of the cybercriminal groups behind the threat.
Vawtrak is a threat that has been in the wild since 2014 when experts at Trend Micro spotted the threat that was targeting Japanese Internet users. The first variant of BKDR_VAWTRAK abused a Windows feature called Software Restriction Policies (SRP) to prevent victims’ systems from running a wide range of security programs
We saw several versions of the malware over the years, the last variant of Vawtrak was discovered this summer by experts from Fidelis firm. The new version of the Vawtrak banking Trojan included significant improvements such as the SSL pinning.
Researchers from Blueliv now have conducted a reverse engineering of the Vawtrak banking Trojan that confirmed the presence of two clearly differentiated infrastructures. One infrastructure dedicated exclusively to malware distribution (primarily spam), and a second one used for maintenance, control and the reporting of stolen data.
The analysis of the Vawtrak v2 revealed a complex infrastructure used to deliver the malware as well as other Trojans. Blueliv named the cybercriminal group behind this infrastructure Moskalvzapoe.
Moskalvzapoe uses several servers hosting command and control (C2) for Vawtrak and other Trojans (i.e. Pony credential stealer). The threat is primary spread through spamming and drive-by download mechanisms that involved Exploit Kits (mostly Nuclear EK).
The Moskalvzapoe infrastructure presents an unusual network topology in terms of the way crooks have set up C&C servers and how they rotate their domains and exposed IPs.
“All these hosts forward all the incoming connections towards the back-end.” reads the analysis from BlueLiv. “The Trojans dropped by the loaders are usually found in compromised servers which share multiple characteristics including geolocation. Most of the compromised hosts can be found in Russia. Usually these hosts are compromised using security vulnerabilities found in commonly used software such as WordPress, Joombla, or Bitrix. Furthermore, the deployment of Pony Grabber, the credential-stealing malware, enables them access to other hosts and services.”
The Vawtrak V2 is able to implement further actions by using additional modules, significantly expanding its capabilities. These most common modules used by the banking Trojan are:
The largest number of Vawtrak v2 infections was observed US (69,010), followed by Canada (6,777) and UK (969), meanwhile, the impact on Europe was minimal.
“The total amount of data exfiltrated by the botnet is more than 2,500,000 credentials. The fact that U.S. is the most affected country is also reflected in the most affected services.” reads the report published by BlueLiv.
The analysis published by BlueLive revealed the use of large-scale communication networks that increased in a significant way the level of sophistication of the criminal infrastructures to support the distribution of Vawtrak V2 worldwide.
The data emerged from the report shows the amazing abilities of cybercrime groups which have complex hierarchies and the availability of an efficient business model.
I suggest the reading of the report titled “Chasing cybercrime: Network insights into Vawtrak v2” that is full of interesting data on the malware and the threat actors behind it.
Blueliv also provided Indicators of Compromise (IOCs) that could be used by organizations to detect the threat.
Enjoy the report.
(Security Affairs – Vawtrak v2, cybercrime)