Our malware analysts have detected an ongoing malware campaign, where Vawtrak (or Neverquest), a classic Trojan-banker targets credentials from banks in Canada to steal financial information.

This advanced piece of malware is capable to detect and infect hundreds of banking and financial institutions that users connect to. The last versions detected are able to capture videos and screenshots and launch man-in-the-middle attacks.

This high versatility offers Vawtrak the ability to collect credentials and sensitive information from FTP servers, email clients and finally from all spheres of the online.

This latest campaign that targets more than 15 financial institutions in Canada uses a web-injection method similar to the Zeus family of malware with the goal to alter the content of several specified banking websites:



To escape antivirus detection, the web-injection process allows online criminals to circumvent security login methods, such as Two Factor Authentication.

To complicate a potential detection or removal process, the cyber criminals use the retrieved credentials to log into the banking accounts via virtual network computing, which is a shared desktop system that allows remote control over the victim’s computer.

Since the connection request to the online banking account comes from the victim’s computer, it is almost impossible for the banking account to notice the online attack that takes place.


How does it spread?

Vawtrak is delivered through drive-by downloads in compromised websites or by injecting malicious code on legitimate websites, but it also spreads through phishing campaigns in social media networks and spam.

Our malware specialists gathered some C&C servers that are at this moment connected to Vawtrak infections:

To have an image on the malicious servers’ locations, you can use the map below:



How does it work?

We will try to present shortly the steps that take place in the infection phase, mentioning that we are dealing with a malware that could change its behavior at any moment:

  1. The downloader is placed on the system using a drive-by download.
  2. The downloader connects to a list of pre-defined domains.
  3. One of the hackers’ controlled domains responds and sends back the main components of Vawtrak.
  4. Vawtrak targets sensitive user credentials from online banking services. To do this, the malware uses a MiTM (man-in-the-middle) attack that allows hackers to intercept unencrypted web traffic, while the victims think they are on a secure connection.
  5. The captured financial information is sent to the C&C servers. During the connection time, the victim thinks the credentials are sent to a legitimate bank, but the malware actually redirects the traffic to a compromised server.
  6. Attackers use the captures credentials to log into the accounts using a VNC, that is a virtual network computing, which makes detection so much harder.

The computer is now enrolled in a botnet, a collection of Internet computers that communicate with each other for malicious purposes.


How can I keep my system protected from Vawtrak?

Our security researchers recommend the following measures to protect your computer from the Vawtrak banking malware:

  • Keep your operating system and your vulnerable software up-to-date with the latest security patches. Vawtrak (or Neverquest) can be spread through exploit kits.
  • Use a security solution that updates automatically and make sure your antivirus detects this threat.
  • Don’t click links in e-mails you receive from unknown e-mail addresses. There have been cases where Vawtrak has been spread this way.
  • Don’t download and access e-mail attachments from people you don’t know. Most dangerous financial and data stealing malware, like Vawtrak, may infect your system.
  • Increase your online protection level by adjusting your web browser security settings.

UPDATE: 25.03.2015

  • Our monitoring campaign began approximately a month ago during a series of drive-by attacks.
  • You should also know that the types of websites use to disseminate Vawtrak (or Neverquest) are partially legitimate websites and through malvertizing.
  • The command and control center of the attack is located in Russia.
  • Number and location of victims: the size of the BOTnet depends on the campaign, but we have already identified approximately 15.000 BOTs in the Canadian targeted attack, and 90% of these are located in Canada based on geoIP.
  • We have also created a VirusTotal page, so you can see how low the detection rate for Vawtrak (or Neverquest) really is. Only 2 dozen antivirus solutions are currently detecting it, but it’s going undetected by many, many others, leaving users exposed to the danger of having their banking credentials stolen.

virustotal page vawtrak aka neverquest march 2015

Vawtrak is one of the most dangerous pieces of financial stealing malware detected lately by our security specialists. To provide the best defense against the major threats in the online environment, we will continue to monitor this threat.

This post was originally published by Aurelian Neagu in March 2015.

15 Steps to Maximize your Financial Data Protection [Updated]

The Ultimate Guide to Shopping Online Safely

Everything You Need to Know about the Notorious Zeus Gameover Malware


Leave a Reply

Your email address will not be published. Required fields are marked *