Dangerous Banking Trojan “Vawtrak” Harvests Passwords Using Favicons
New features have been found concerning the dangerous banking Vawtrak malware that allow the malware to send and receive data through encrypted favicons distributed through the Tor network. This malware is used to harvest banking, gaming, and social media details, such as passwords, and is considered one of the worst single threats in existence. It uses Tor2Web proxy to receive updates from its cyber criminal developers and can access and update servers that are hosted on the Tor hidden web services without having to use specialist software such as Torbrowser. The communication with the remote server is done over SSL, which adds deeper encryption.
The latest Vawtrak sample uses stenography to conceal update files within favicons found across online locations. Favicons are the small images used for website bookmarks and browser tabs. The fact that this malware takes advantage of favicon images is a novel trick that helps conceal malicious downloads associated with the dangerous malware.
Vawktrak malware is used to compromise banking, gaming and social network users across the world including United Kingdom, the United States of America, Finland, and Germany. Computer users in Australia and other places in Europe are also affected by this malware but to a lesser extent.
This malware has features that allow it to defeat antivirus platforms used to protect against it including AVG. It is a browser password-stealing threat that uses vectors including the Pony loader and the infamous Angler exploit kit.
According to security researches, the silver lining to the attack is that Vawtrak malware is so aggressive that it can destabilize infected systems, and that makes it ultimately easier to detect compared to similar parasites.