AVG Signal Blog Security Malware Analysis of Banking Trojan Vawtrak

Written by AVG Signal Team
Published on April 2, 2015

Our analysis has shown that once it has infected a system, Vawtrak gains access to bank accounts visited by the victim. Furthermore, Vawtrak uses the infamous Pony module for stealing a wide range of login credentials, such as passwords stored in browsers, FTP clients, private keys, or stored within remote-desktop settings.

As we will discuss in this technical report, Vawtrak is a sophisticated piece of malware in terms of supported features (creating VNC and SOCKS servers, screenshot and video capturing, usage of steganography, etc.) and its extensibility with regular updates of available command and control (C&C) servers, Vawtrak executable, and web-inject frameworks.

Vawtrak infections, based on our statistics, are most prevalent on devices in the Czech Republic, USA, UK, and Germany this year.

In the following text, we describe Vawtrak from two perspectives – (1) Vawtrak's infection vector and (2) description of its features and internals. This report will mainly focus on the analysis of the features and internals.

Read the full report here

AVG protects you and your family against online threats in today's digital world. Get global-trusted security for all your devices with AVG AntiVirus FREE for PC, and also for your mobile phone with AVG AntiVirus for Android.

Prevent yourself from being harmed and learn some useful tips on website safety. If you’ve already been infected, read our guide on how to remove a virus from your computer.

Protect your Android against threats with AVG AntiVirus

Free install

Protect your iPhone against threats with AVG Mobile Security

Free install
AVG Signal Team