http://blogs.technet.com/b/mmpc/archive/2015/08/11/msrt-august-2015-vawtrak.aspx
TL;DR
-----------------------------------------------------------------------------------------------------------------
Original
As part of our ongoing effort to provide better malware protection, we are adding the following detections to the Microsoft Malicious Software Removal Tool (MSRT) this month:
Critroni is a ransomware malware family that can lock your files and ask you to pay money to regain access to them. Variants in the Kasidet family can steal your sensitive information and send it to a remote attacker. This blog has more information about the Vawtrak malware family.
Vawtrak variants are typically distributed through one of three infection vectors:
Macro malware can install other malware, such as Vawtrak, on your PC when you open a malicious spam email attachment and enable macros on your PC. You can read more about this type of threat on our macro help page.
Figure 1 shows the spam email/Bartallex infection chain:
Figure 1: Vawtrak infection chain
The malware also uses the same trick to store configuration information to the registry, to make it easier for the threat to retrieve the configuration after reboot or update.
It then injects the DLL into all running processes and browsers.
Once Vawtrak is running in a web browser process it steal your user names and passwords for some websites. The website targeted can vary. The malware also contacts its command and control server to get configuration files and other bot commands.
There are more details about the malware payload in our Win32/Vawtrak family description.
Figure 2: Vawtrak encounters
Figure 3: Top 10 countries affected by Vawtrak
TL;DR
- Vawtrak aka NeverQuest and Snifula
- Banking trojan
- Angler, attachments - with Chanitor downloader
- The Vawtrak dropper installs a DLL component to %ALLUSERPROFILE%\<random folder name>\<random file name>.
- The random folder and file names are generated using a linear congruential generator (LCG) algorithm and the volume serial number of system drive as the seed.
- It is fixed for a specific PC whenever the malware runs.
- The malware also uses the same trick to store configuration information to the registry, to make it easier for the threat to retrieve the configuration after reboot or update.
- It then injects the DLL into all running processes and browsers.
- Once Vawtrak is running in a web browser process it steal your user names and passwords for some websites. The website targeted can vary. The malware also contacts its command and control server to get configuration files and other bot commands.
-----------------------------------------------------------------------------------------------------------------
Original
As part of our ongoing effort to provide better malware protection, we are adding the following detections to the Microsoft Malicious Software Removal Tool (MSRT) this month:
Critroni is a ransomware malware family that can lock your files and ask you to pay money to regain access to them. Variants in the Kasidet family can steal your sensitive information and send it to a remote attacker. This blog has more information about the Vawtrak malware family.
Vawtrak infection chain
Vawtrak is a family of information-stealing malware that can be used to steal banking credentials. It is also known as NeverQuest and Snifula.Vawtrak variants are typically distributed through one of three infection vectors:
- Exploit kits (for example, Angler)
- Spam email attachments (for example as a malicious zip attachment containing the Vawtrak binary)
- Macro malware (for example, Bartallex)
Macro malware can install other malware, such as Vawtrak, on your PC when you open a malicious spam email attachment and enable macros on your PC. You can read more about this type of threat on our macro help page.
Figure 1 shows the spam email/Bartallex infection chain:
Figure 1: Vawtrak infection chain
Vawtrak malware details
The Vawtrak dropper installs a DLL component to %ALLUSERPROFILE%\<random folder name>\<random file name>. The random folder and file names are generated using a linear congruential generator (LCG) algorithm and the volume serial number of system drive as the seed. It is fixed for a specific PC whenever the malware runs.The malware also uses the same trick to store configuration information to the registry, to make it easier for the threat to retrieve the configuration after reboot or update.
It then injects the DLL into all running processes and browsers.
Once Vawtrak is running in a web browser process it steal your user names and passwords for some websites. The website targeted can vary. The malware also contacts its command and control server to get configuration files and other bot commands.
There are more details about the malware payload in our Win32/Vawtrak family description.
Vawtrak telemetry
Figure 2 shows the number of Vawtrak encounters we have seen during the past two months. Most infections occurred in the United States and the UK, as shown in Figure 3.Figure 2: Vawtrak encounters
Figure 3: Top 10 countries affected by Vawtrak
from Microsoft Malware Protection Center http://ift.tt/1ID0AcR
