• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Allianz Life data breach exposed the data of most of its 1.4M customers

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 55

 | 

Security Affairs newsletter Round 534 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Law enforcement operations seized BlackSuit ransomware gang’s darknet sites

 | 

Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

 | 

Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

 | 

Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

 | 

Koske, a new AI-Generated Linux malware appears in the threat landscape

 | 

Mitel patches critical MiVoice MX-ONE Auth bypass flaw

 | 

Coyote malware is first-ever malware abusing Windows UI Automation

 | 

SonicWall fixed critical flaw in SMA 100 devices exploited in Overstep malware attacks

 | 

DSPM & AI Are Booming: $17.87B and $4.8T Markets by 2033

 | 

Stealth backdoor found in WordPress mu-Plugins folder

 | 

U.S. CISA adds CrushFTP, Google Chromium, and SysAid flaws to its Known Exploited Vulnerabilities catalog

 | 

U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog

 | 

Sophos fixed two critical Sophos Firewall vulnerabilities

 | 

French Authorities confirm XSS.is admin arrested in Ukraine

 | 

Microsoft linked attacks on SharePoint flaws to China-nexus actors

 | 

Cisco confirms active exploitation of ISE and ISE-PIC flaws

 | 

SharePoint under fire: new ToolShell attacks target enterprises

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Malware
  • A new strain of banking trojan VAWTRAK uses Macros and abuses Windows PowerShell

A new strain of banking trojan VAWTRAK uses Macros and abuses Windows PowerShell

Pierluigi Paganini February 25, 2015

Security experts at TrendMicro observed significant improvements in VAWTRAK banking trojan which couples use malicious macros and Windows PowerShell.

Early 2015 the Microsoft Malware Protection Center (MMPC) issued an alert about a surge in the infections of malware using macros to spread their malicious code. The experts MMPC have observed a significant increase in enable-macros based malware, the most active codes include Adnel and Tarbir.

macros malware attacks

Last year experts at TrendLabs observed criminal crews using the Windows PowerShell command shell to spread ROVNIX via malicious macro downloaders. The experts are now seeing cyber criminals using malicious macros in Microsoft Word Windows to spread the banking malware VAWTRAK. The malware specialists at Trend Micro noticed the VAWTRAK agent for the first time in June 2014, when it was abusing a Windows feature called Software Restriction Policies (SRP) to prevent victims’ systems from running a wide range of security programs, including antivirus software from  Trend Micro, ESET, AVG Symantec, Microsoft, Intel and many others for a total of 53 different applications. The variant targeted users of banks in Japan, Germany, UK and Swiss.

This time crooks used the agent to target several financial institutions including Bank of America, Barclays, Citibank, HSBC, Lloyd’s Bank, and J.P. Morgan.

The kill chain begins with phishing emails, the majority of messages used to spread  the VAWTRAK  banking malware are crafted to look like they came from the mailing company FedEx.

“The emails notify their recipients that a package was delivered to them, and contain a receipt number attached for the supposed ‘delivery.'” states a report published by TrendMicro.

As observed in many other cases of infection based on Windows Macro, when email recipients open the document will first see jumbled symbols. The messages instruct victims to enable the macros in order to correctly read the message.

VAWTRAK Macro

Once enable the macro, a .VBS file and PowerShell script will be dropped onto the victim’s machine.

“Once the macro is enabled, a batch file is dropped into the affected system, along with a .VBS file and a PowerShell script. The batch file is programmed to run the .VBS file, which is then prompted to run the PowerShell file. The PowerShell file finally downloads the VAWTRAK variant, detected as BKDR_VAWTRAK.DOKR.” continues the post.

The VAWTRAK banking trojan is able to steal information from different sources, including email credentials from mail services like Microsoft Outlook and Windows Mail. The malicious code could be used to steal sensitive data from most common browsers, it also steals account information for File Transfer Protocol (FTP) clients or file manager software like FileZilla.

“Additionally, BKDR_VAWTRAK.DOKR can bypass two-factor authentication like one-time password (OTP) tokens and also has functionalities like Automatic Transfer System (ATS). The SSL bypass and ATS capabilities of VAWTRAK malware depends on the configuration file it receives. The configuration file contains the script used for ATS and SSL, which is injected into the web browser. ” states the post . “It also performs information theft through methods like form grabbing, screenshots, and site injections. Some the targeted sites include Amazon, Facebook, Farmville, Google, Gmail, Yahoo Mail, and Twitter.”

The experts highlighted the continuous improvement of the VAWTRAK banking malware since it was first spotted in August 2013, it could be considered a privileged tool in the criminal ecosystem.

Pierluigi Paganini

(Security Affairs –  VAWTRAK, malware)


facebook linkedin twitter

banking trojan Cybercrime macro malware TrendLabs TrendMicro Vawtrak

you might also like

Pierluigi Paganini July 27, 2025
Allianz Life data breach exposed the data of most of its 1.4M customers
Read more
Pierluigi Paganini July 27, 2025
SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 55
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Allianz Life data breach exposed the data of most of its 1.4M customers

    Data Breach / July 27, 2025

    SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 55

    Malware / July 27, 2025

    Security Affairs newsletter Round 534 by Pierluigi Paganini – INTERNATIONAL EDITION

    Breaking News / July 27, 2025

    Law enforcement operations seized BlackSuit ransomware gang’s darknet sites

    Cyber Crime / July 26, 2025

    Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

    Intelligence / July 26, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT