Vawtrak, Neverquest, or Snifula are different names of the same banking Trojan that has been spreading in recent months. It infects victims via malware downloaders (e.g. Zemot, Chaintor), exploit kits, or through drive-by downloads (e.g. spam email attachments or links).
Our analysis has shown that once it has infected a system, Vawtrak gains access to bank accounts visited by the victim. Furthermore, Vawtrak uses the infamous Pony module for stealing a wide range of login credentials, such as passwords stored in browsers, FTP clients, private keys, or stored within remote-desktop settings.
As we will discuss in this technical report, Vawtrak is a sophisticated piece of malware in terms of supported features (creating VNC and SOCKS servers, screenshot and video capturing, usage of steganography, etc.) and its extensibility with regular updates of available command and control (C&C) servers, Vawtrak executable, and web-inject frameworks.
Vawtrak infections, based on our statistics, are most prevalent on devices in the Czech Republic, USA, UK, and Germany this year.
In the following text, we describe Vawtrak from two perspectives – (1) Vawtrak's infection vector and (2) description of its features and internals. This report will mainly focus on the analysis of the features and internals.
AVG protects you and your family against online threats in today's digital world. Get global-trusted security for all your devices with AVG AntiVirus FREE for PC, and also for your mobile phone with AVG AntiVirus for Android.