Banking Malware VAWTRAK Now Uses Malicious Macros, Abuses Windows PowerShell

Last year we saw how the Windows PowerShell® command shell was involved in spreading ROVNIX via malicious macro downloaders. Though the attack seen in November did not directly abuse the PowerShell feature, we’re now seeing the banking malware VAWTRAK abuse this Windows feature, while also employing malicious macros in Microsoft Word.

The banking malware VAWTRAK is involved with stealing online banking information. Some of the targeted banks include Bank of America, Barclays, Citibank, HSBC, Lloyd’s Bank, and J.P. Morgan. Other variants seen in the past targeted German, British, Swiss, and Japanese banks.

Arriving via “FedEx” Spam

The infection chain begins with spammed messages. Most of the messages involved with this infection are made to look like they came from the mailing company FedEx. The emails notify their recipients that a package was delivered to them, and contain a receipt number attached for the supposed “delivery.”

Figure 1. “FedEx” spam

Another email we saw came from a fake American Airlines email address, which informs recipients that their credit card has been processed for a transaction. The attached “ticket” is a Microsoft Word file that supposedly contains details of the transaction.

Figure 2. “American Airlines” email

Using Macros and PowerShell

Email recipients who open the document will first see jumbled symbols. The document instructs users to enable the macros, and a security warning on the upper right hand corner leads users to enable the feature.

Figure 3. Document before and after enabling the macro feature

Once the macro is enabled, a batch file is dropped into the affected system, along with a .VBS file and a PowerShell script. The batch file is programmed to run the .VBS file, which is then prompted to run the PowerShell file. The PowerShell file finally downloads the VAWTRAK variant, detected as BKDR_VAWTRAK.DOKR.

Figure 4. Connecting to URLs to download VAWTRAK

The use of three components (batch file, VBScript, and Windows Powershell file) might be an evasion tactic. The VBS file has “ -ExecutionPolicy bypass” policy flag to bypass execution policies in the affected system. These policies are often seen as a “security” feature by many administrators. They will not allow scripts to be run unless they meet the requirements of the policy. When the “ -ExecutionPolicy bypass” policy flag is used, “nothing is blocked and there are no warnings or prompts.” This means that the malware infection chain can proceed without any security blocks.

VAWTRAK Routines

Once BKDR_VAWTRAK.DOKR is in the computer, it steals information from different sources. For example, it steals email credentials from mail services like Microsoft Outlook and Windows Mail. It also attempts to steal information from different browsers, including Google Chrome and Mozilla Firefox. It also steals account information for File Transfer Protocol (FTP) clients or file manager software like FileZilla.

Additionally, BKDR_VAWTRAK.DOKR can bypass two-factor authentication like one-time password (OTP) tokens and also has functionalities like Automatic Transfer System (ATS).

The SSL bypass and ATS capabilities of VAWTRAK malware depends on the configuration file it receives. The configuration file contains the script used for ATS and SSL, which is injected into the web browser. The malicious scripts may change depending on the targeted site. SSL bypass and ATS scripts are like automation scripts injected in the client’s web browser. This creates an impression that the transactions are done on the victim’s machine, which minimizes suspicion toward the malware.

It also performs information theft through methods like form grabbing, screenshots, and site injections. Some the targeted sites include Amazon, Facebook, Farmville, Google, Gmail, Yahoo Mail, and Twitter.

VAWTRAK, Old and New

The use of Microsoft Word documents with malicious macro code is a departure from known VAWTRAK arrival vectors. VAWTRAK variants were previously payloads of exploits; and some VAWTRAK infections were part of a chain involving the Angler exploit kit. The routine involving the use of macros is similar to other data-stealing malware, specifically ROVNIX and DRIDEX.

Another significant change we have seen is the path and file name used by the malware. VAWTRAK variants previously used these path and file name before:

%All Users Profile%\Application Data\{random file name}.dat

%Program Data%\{random file name}.dat

They have since changed to

%All Users Profile%\Application Data\{random folder name}\{random filename}.{random file extension}

%Program Data%\{random folder name}\{random filename}.{random file extension}

The change in path and file name has security implications. The change would affect systems relying on behavior rules. If their rule/s for VAWTRAK is looking for .DAT extension under the %All Users Profile%\Application Data and %Program Data% folder, they need to update to catch these VAWTRAK samples.

Macros for Evasion

VAWTRAK is the latest family to use macro-based attacks. Those were popular in the early 2000s but soon faded into relative obscurity. This particular VAWTRAK variant uses a password-protected macro, which makes analyzing the malware difficult since the macro cannot be viewed or opened without the password or a special tool.

Affected Countries

We have been monitoring this new wave of VAWTRAK infections since November 2014. Of the affected countries, the United States has the most number of infections, followed by Japan. Previous data from the Trend Micro™ Smart Protection Network™ showed that most of the VAWTRAK infections were found in Japan.

Figure 5. Top countries affected by this new VAWTRAK variant

Conclusion

VAWTRAK has gone through some notable improvements since it was first spotted in August 2013 as an attachment to fake shipping notification emails. Coupled with the continuous use and abuse of malicious macros and Windows PowerShell, cybercriminals have come up with the ideal tool for carrying out their data theft routines. The Trend Micro™ Smart Protection Network™ protects users from this threat by blocking all related malicious files, URLs, and spammed emails. It is also advised that users are able to discern fake emails from legitimate ones, and in this case, real airline tickets or receipts from fake ones.

Related hashes:

de9115c65e1ae3694353116e8d16de235001e827 (BKDR_VAWTRAK.DOKR)
1631d05a951f3a2bc7491e1623a090d53d983a50 (W2KM_VLOAD.A)
77332d7bdf99d5ae8a7d5efb33b20652888eea35 (BKDR_VAWTRAK.SM0)

With analysis and input by Jeffrey Bernardino, Raphael Centeno, Cris Pantanilla, Rhena Inocencio, Cklaudioney Mesa, Chloe Ordonia, and Michael Casayuran

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Banking Malware VAWTRAK Now Uses Malicious Macros, Abuses Windows PowerShell