As part of our ongoing effort to provide better malware protection, we are adding the following detections to the Microsoft Malicious Software Removal Tool (MSRT) this month:
Critroni is a ransomware malware family that can lock your files and ask you to pay money to regain access to them. Variants in the Kasidet family can steal your sensitive information and send it to a remote attacker. This blog has more information about the Vawtrak malware family.
Vawtrak infection chain
Vawtrak is a family of information-stealing malware that can be used to steal banking credentials. It is also known as NeverQuest and Snifula.
Vawtrak variants are typically distributed through one of three infection vectors:
- Exploit kits (for example, Angler)
- Spam email attachments (for example as a malicious zip attachment containing the Vawtrak binary)
- Macro malware (for example, Bartallex)
Exploit kits such as Angler exploit vulnerabilities in common software. Keeping your software up-to-date can help reduce the chance of infection through these vulnerabilities.
Macro malware can install other malware, such as Vawtrak, on your PC when you open a malicious spam email attachment and enable macros on your PC. You can read more about this type of threat on our macro help page.
Figure 1 shows the spam email/Bartallex infection chain:
Figure 1: Vawtrak infection chain
Vawtrak malware details
The Vawtrak dropper installs a DLL component to %ALLUSERPROFILE%\<random folder name>\<random file name>. The random folder and file names are generated using a linear congruential generator (LCG) algorithm and the volume serial number of system drive as the seed. It is fixed for a specific PC whenever the malware runs.
The malware also uses the same trick to store configuration information to the registry, to make it easier for the threat to retrieve the configuration after reboot or update.
It then injects the DLL into all running processes and browsers.
Once Vawtrak is running in a web browser process it steal your user names and passwords for some websites. The website targeted can vary. The malware also contacts its command and control server to get configuration files and other bot commands.
There are more details about the malware payload in our Win32/Vawtrak family description.
Figure 2 shows the number of Vawtrak encounters we have seen during the past two months. Most infections occurred in the United States and the UK, as shown in Figure 3.
Figure 2: Vawtrak encounters
Figure 3: Top 10 countries affected by Vawtrak
MSRT cleanup for Vawtrak will remove executable files and registry entries related to the malware. It will also restore the default system settings. Microsoft security products, such as Windows Defender for Windows 10, also include detection for Vawtrak and other malware families.
It’s also always important to:
- Keep your security product and other software up-to-date.
- Guard against the dangers of opening suspicious emails. Don’t open email attachments or links from untrusted sources. The Microsoft SmartScreen filter can also help detect spam. It’s built-in and enabled by default in Microsoft email programs.
For enterprise users:
- Follow the appropriate Exchange Online Protection instructions to suit your business needs.
- Learn about how Office 365 can help block spam using machine learning. See First look at Advanced Threat Protection: new tools to stop unknown malware & phishing attacks for details.
- Submit spam and non-spam messages to Microsoft for analysis.
Wei Li & Zhitao Zhou