A new strain of banking trojan VAWTRAK uses Macros and abuses Windows PowerShell

Security experts at TrendMicro observed significant improvements in VAWTRAK banking trojan which couples use malicious macros and Windows PowerShell.

Early 2015 the Microsoft Malware Protection Center (MMPC) issued an alert about a surge in the infections of malware using macros to spread their malicious code. The experts MMPC have observed a significant increase in enable-macros based malware, the most active codes include Adnel and Tarbir.

Last year experts at TrendLabs observed criminal crews using the Windows PowerShell command shell to spread ROVNIX via malicious macro downloaders. The experts are now seeing cyber criminals using malicious macros in Microsoft Word Windows to spread the banking malware VAWTRAK. The malware specialists at Trend Micro noticed the VAWTRAK agent for the first time in June 2014, when it was abusing a Windows feature called Software Restriction Policies (SRP) to prevent victims’ systems from running a wide range of security programs, including antivirus software from  Trend Micro, ESET, AVG Symantec, Microsoft, Intel and many others for a total of 53 different applications. The variant targeted users of banks in Japan, Germany, UK and Swiss.

This time crooks used the agent to target several financial institutions including Bank of America, Barclays, Citibank, HSBC, Lloyd’s Bank, and J.P. Morgan.

The kill chain begins with phishing emails, the majority of messages used to spread  the VAWTRAK  banking malware are crafted to look like they came from the mailing company FedEx.

“The emails notify their recipients that a package was delivered to them, and contain a receipt number attached for the supposed ‘delivery.'” states a report published by TrendMicro.

As observed in many other cases of infection based on Windows Macro, when email recipients open the document will first see jumbled symbols. The messages instruct victims to enable the macros in order to correctly read the message.

Once enable the macro, a .VBS file and PowerShell script will be dropped onto the victim’s machine.

“Once the macro is enabled, a batch file is dropped into the affected system, along with a .VBS file and a PowerShell script. The batch file is programmed to run the .VBS file, which is then prompted to run the PowerShell file. The PowerShell file finally downloads the VAWTRAK variant, detected as BKDR_VAWTRAK.DOKR.” continues the post.

The VAWTRAK banking trojan is able to steal information from different sources, including email credentials from mail services like Microsoft Outlook and Windows Mail. The malicious code could be used to steal sensitive data from most common browsers, it also steals account information for File Transfer Protocol (FTP) clients or file manager software like FileZilla.

“Additionally, BKDR_VAWTRAK.DOKR can bypass two-factor authentication like one-time password (OTP) tokens and also has functionalities like Automatic Transfer System (ATS). The SSL bypass and ATS capabilities of VAWTRAK malware depends on the configuration file it receives. The configuration file contains the script used for ATS and SSL, which is injected into the web browser. ” states the post . “It also performs information theft through methods like form grabbing, screenshots, and site injections. Some the targeted sites include Amazon, Facebook, Farmville, Google, Gmail, Yahoo Mail, and Twitter.”

The experts highlighted the continuous improvement of the VAWTRAK banking malware since it was first spotted in August 2013, it could be considered a privileged tool in the criminal ecosystem.

Pierluigi Paganini

(Security Affairs –  VAWTRAK, malware)