MSRT August 2015: Vawtrak

As part of our ongoing effort to provide better malware protection, we are adding the following detections to the Microsoft Malicious Software Removal Tool (MSRT) this month:

Critroni is a ransomware malware family that c​an lock your files and ask you to pay money to regain access to them. Variants in the Kasidet family can steal your sensitive information and send it to a remote attacker. This blog has more information about the Vawtrak malware family.

Vawtrak infection chain

Vawtrak is a family of information-stealing malware that can be used to steal banking credentials. It is also known as NeverQuest and Snifula.

Vawtrak variants are typically distributed through one of three infection vectors:

  • Exploit kits (for example, Angler)
  • Spam email attachments (for example as a malicious zip attachment containing the Vawtrak binary)
  • Macro malware (for example, Bartallex)

Exploit kits such as Angler exploit vulnerabilities in common software. Keeping your software up-to-date can help reduce the chance of infection through these vulnerabilities.

Macro malware can install other malware, such as Vawtrak, on your PC when you open a malicious spam email attachment and enable macros on your PC. You can read more about this type of threat on our macro help page.

Figure 1 shows the spam email/Bartallex infection chain:

Figure 1: Vawtrak infection chain

Vawtrak malware details

The Vawtrak dropper installs a DLL component to %ALLUSERPROFILE%\<random folder name>\<random file name>. The random folder and file names are generated using a linear congruential generator (LCG) algorithm and the volume serial number of system drive as the seed. It is fixed for a specific PC whenever the malware runs.

The malware also uses the same trick to store configuration information to the registry, to make it easier for the threat to retrieve the configuration after reboot or update.

It then injects the DLL into all running processes and browsers.
Once Vawtrak is running in a web browser process it steal your user names and passwords for some websites. The website targeted can vary. The malware also contacts its command and control server to get configuration files and other bot commands.

There are more details about the malware payload in our Win32/Vawtrak family description.

Vawtrak telemetry

Figure 2 shows the number of Vawtrak encounters we have seen during the past two months. Most infections occurred in the United States and the UK, as shown in Figure 3.

Figure 2: Vawtrak encounters

Figure 3: Top 10 countries affected by Vawtrak

Stay protected

MSRT cleanup for Vawtrak will remove executable files and registry entries related to the malware. It will also restore the default system settings. Microsoft security products, such as Windows Defender for Windows 10, also include detection for Vawtrak and other malware families.

It’s also always important to:

For enterprise users:

Wei Li & Zhitao Zhou

Comments (1)

  1. tom says:

    I noticed that the MSRT was re-released today, August 18. What was the cause of this?

Skip to main content