Vawtrak malware spread via toxic Word documents is still a thing apparently

Beware poisoned parking tickets!

Vawtrak

It's not as common as it once was, but malicious spam that infects users with the Pony and Vawtrak malware is still making its rounds in the wild.

On 10 January, Brad Duncan of the SANS Internet Storm Center received what appeared to be a parking ticket notification.

2017 01 11 isc diary image 01

Fake parking ticket notification. (Source: SANS Internet Storm Center)

But it wasn't that at all. As he explained in a blog post:

"The link from the malspam downloaded a Microsoft Word document. The document contains a malicious VB macro described has Hancitor, Chanitor or Tordal. I generally call it Hancitor. If you enable macros, the document retrieves a Pony downloader DLL. The Pony downloader then retrieves and installs Vawtrak malware."

2017 01 11 isc diary image 02

Flow chart of the infection process. (Source: SANS Internet Storm Center)

So just what is Vawtrak?

Vawtrak is a trojan that is, more often than not, distributed to users via malicious Microsoft Word documents.

Once Vawtrak infects a PC, it is capable of logging keystrokes, taking screenshots, and hijacking webcams. It also opens a remote access backdoor that allows anyone who controls it to steal files, digital certificates, and passwords from the victim's computer.

No wonder some suspect Vawtrak helped steal thousands of MailChimp account credentials back in November 2016.

In this most recent attack, the malware initializes as soon as the user begins to browse the web.

2017 01 11 isc diary image 06

Vawtrak callback traffic seen only after trying to browse the web. (Source: SANS Internet Storm Center)

The fact that users continue to fall for attacks like this can be disheartening at times, so much so that some in the security community say individuals like Duncan are wasting his breath. But he doesn't agree:

"That attitude only encourages the criminal groups behind malspam. For various reasons, many environments don't follow best security practices, and they're still vulnerable. If we discuss on-going waves of malspam in high-visibility forums like this one, more people will be aware of the threat."

We share Duncan's point of view. With that in mind, users can protect themselves against spammed-out malware campaigns, including the one Duncan detected, by avoiding suspicious links and email attachments.

Users should also consider disabling macros for Microsoft Word documents outright by following this guide. If you decide to take that route, don't let ANYONE convince you into re-enabling them.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

No comments yet.

Leave a Reply