• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Microsoft Patch Tuesday security updates for July 2025 fixed a zero-day

 | 

Italian police arrested a Chinese national suspected of cyberespionage on a U.S. warrant

 | 

U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog

 | 

IT Worker arrested for selling access in $100M PIX cyber heist

 | 

New Batavia spyware targets Russian industrial enterprises

 | 

Taiwan flags security risks in popular Chinese apps after official probe

 | 

U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

 | 

Hunters International ransomware gang shuts down and offers free decryption keys to all victims

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

 | 

Security Affairs newsletter Round 531 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates

 | 

Critical Sudo bugs expose major Linux distros to local Root exploits

 | 

Google fined $314M for misusing idle Android users' data

 | 

A flaw in Catwatchful spyware exposed logins of +62,000 users

 | 

China-linked group Houken hit French organizations using zero-days

 | 

Cybercriminals Target Brazil: 248,725 Exposed in CIEE One Data Breach

 | 

Europol shuts down Archetyp Market, longest-running dark web drug marketplace

 | 

Kelly Benefits data breach has impacted 550,000 people, and the situation continues to worsen as the investigation progresses

 | 

Cisco removed the backdoor account from its Unified Communications Manager

 | 

U.S. Sanctions Russia's Aeza Group for aiding crooks with bulletproof hosting

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Malware
  • A new strain of banking trojan VAWTRAK uses Macros and abuses Windows PowerShell

A new strain of banking trojan VAWTRAK uses Macros and abuses Windows PowerShell

Pierluigi Paganini February 25, 2015

Security experts at TrendMicro observed significant improvements in VAWTRAK banking trojan which couples use malicious macros and Windows PowerShell.

Early 2015 the Microsoft Malware Protection Center (MMPC) issued an alert about a surge in the infections of malware using macros to spread their malicious code. The experts MMPC have observed a significant increase in enable-macros based malware, the most active codes include Adnel and Tarbir.

macros malware attacks

Last year experts at TrendLabs observed criminal crews using the Windows PowerShell command shell to spread ROVNIX via malicious macro downloaders. The experts are now seeing cyber criminals using malicious macros in Microsoft Word Windows to spread the banking malware VAWTRAK. The malware specialists at Trend Micro noticed the VAWTRAK agent for the first time in June 2014, when it was abusing a Windows feature called Software Restriction Policies (SRP) to prevent victims’ systems from running a wide range of security programs, including antivirus software from  Trend Micro, ESET, AVG Symantec, Microsoft, Intel and many others for a total of 53 different applications. The variant targeted users of banks in Japan, Germany, UK and Swiss.

This time crooks used the agent to target several financial institutions including Bank of America, Barclays, Citibank, HSBC, Lloyd’s Bank, and J.P. Morgan.

The kill chain begins with phishing emails, the majority of messages used to spread  the VAWTRAK  banking malware are crafted to look like they came from the mailing company FedEx.

“The emails notify their recipients that a package was delivered to them, and contain a receipt number attached for the supposed ‘delivery.'” states a report published by TrendMicro.

As observed in many other cases of infection based on Windows Macro, when email recipients open the document will first see jumbled symbols. The messages instruct victims to enable the macros in order to correctly read the message.

VAWTRAK Macro

Once enable the macro, a .VBS file and PowerShell script will be dropped onto the victim’s machine.

“Once the macro is enabled, a batch file is dropped into the affected system, along with a .VBS file and a PowerShell script. The batch file is programmed to run the .VBS file, which is then prompted to run the PowerShell file. The PowerShell file finally downloads the VAWTRAK variant, detected as BKDR_VAWTRAK.DOKR.” continues the post.

The VAWTRAK banking trojan is able to steal information from different sources, including email credentials from mail services like Microsoft Outlook and Windows Mail. The malicious code could be used to steal sensitive data from most common browsers, it also steals account information for File Transfer Protocol (FTP) clients or file manager software like FileZilla.

“Additionally, BKDR_VAWTRAK.DOKR can bypass two-factor authentication like one-time password (OTP) tokens and also has functionalities like Automatic Transfer System (ATS). The SSL bypass and ATS capabilities of VAWTRAK malware depends on the configuration file it receives. The configuration file contains the script used for ATS and SSL, which is injected into the web browser. ” states the post . “It also performs information theft through methods like form grabbing, screenshots, and site injections. Some the targeted sites include Amazon, Facebook, Farmville, Google, Gmail, Yahoo Mail, and Twitter.”

The experts highlighted the continuous improvement of the VAWTRAK banking malware since it was first spotted in August 2013, it could be considered a privileged tool in the criminal ecosystem.

Pierluigi Paganini

(Security Affairs –  VAWTRAK, malware)


facebook linkedin twitter

banking trojan Cybercrime macro malware TrendLabs TrendMicro Vawtrak

you might also like

Pierluigi Paganini July 08, 2025
Microsoft Patch Tuesday security updates for July 2025 fixed a zero-day
Read more
Pierluigi Paganini July 08, 2025
Italian police arrested a Chinese national suspected of cyberespionage on a U.S. warrant
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Microsoft Patch Tuesday security updates for July 2025 fixed a zero-day

    Security / July 08, 2025

    Italian police arrested a Chinese national suspected of cyberespionage on a U.S. warrant

    Intelligence / July 08, 2025

    U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog

    Hacking / July 08, 2025

    IT Worker arrested for selling access in $100M PIX cyber heist

    Cyber Crime / July 08, 2025

    New Batavia spyware targets Russian industrial enterprises

    Malware / July 07, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT