Brad Duncan is a Security Researcher at Rackspace, where he investigates suspicious network activity. Reviewing alerts on blocked emails sent to Rackspace addresses, we occasionally discover malicious campaigns designed to spread malware. Our researchers investigate these leads to gather malware samples, identify threat actors, and determine other indicators of malicious activity. This blog entry discusses one such investigation.
In December 2014, Sophos published a technical paper on Vawtrak malware. Vawtrak is information stealing malware “primarily used to gain unauthorized access to bank accounts through online banking websites.”
As stated in the Sophos report, we’ve seen Vawtrak spread through exploit kits, malicious emails, and loader malware that downloads the Vawtrak installer. In recent weeks, we’ve also noticed malicious emails using Word documents to kick off an infection chain leading to Vawtrak. We continue to see such malicious emails as of March 2015.
Chain of events
- Step 1: The user receives a malicious email with a Word document that retrieves the next stage of malware, a downloader named Chanitor.
- Step 2: The Chanitor downloader retrieves the Vawtrak installer.
- Step 3: The Vatrak installer infects the user’s computer.
Shown above: Flowchart for the Vawtrak infection chain.
The malicious email
From: eFax <email@example.com>
Date: Monday, March 2, 2015 at 9:43 AM CST
Subject: You have a new eFax from 635-558-9859
eFax Message [Caller-ID: 635-558-9859]
You have received an 1 page fax on Mon, 2 Mar 2015 21:13:07 +0530 .
You can find your fax attached to this email.
* The reference number for this fax is 01384623
Microsoft Word is required to view the attached fax document.Thank you for using the eFax service!
These campaigns are botnet-based, and they come from various IP addresses worldwide. The example shown above is one of many different variations seen during this and other campaigns.
In the above example, firstname.lastname@example.org is not the actual sender. It’s an email address spoofed by the real sender. These emails also spoof companies in the return path and message ID headers. The email headers reveal this particular message originated from the IP address of a broadband provider in India.
Shown above: Email headers from the malicious email.
Shown above: Information on the sender’s IP address from the malicious email.
The malicious Word document
The Word document has a macro that downloads the next stage of malware. If macros are not enabled, the Word document shows a message that entices users to enable their macros.
Shown above: The malicious document when opened with Microsoft Word.
A sample of this malicious Word document can be found at: https://malwr.com/analysis/ZDRhM2UyMjQyYzMwNDAwYTk1ZDgyMDM1ODcwNGMzNTQ/
Once you enable macros on Microsoft Word, the message disappears and you’re left with a blank document. Meanwhile, behind the scenes, the document retrieves the next stage of malware: A file downloader called Chanitor.
Chanitor downloads malicious files onto the compromised computer. Vendors like Symantec describe the risk level of this malware as “Very Low” ; however, new variants of Chanitor appear on a daily basis. As recent variants spread through new email campaigns, the malware may not be immediately identified by your computer’s anti-virus software.
Chanitor uses tor traffic to download the next stage of malware. Infected machines generate SSL-encrypted traffic to tor2web.org and similar domains as they download the next stage .
In our test environment, Chanitor malware was saved to the C:UsersusernameAppDataLocalTemp directory. The malware deletes itself after finishing its work.
A sample of this Chanitor downloader can be found at: https://malwr.com/analysis/ZmY3YmE3NjUwODY3NDc3Zjk1YzgzM2FhZTU4NmY1ZDg/
In our test environment, the Vawtrak installer was saved to the C:UsersusernameAppDataLocalTemp directory. Like Chanitor, the Vawtrak installer deletes itself after it’s finished.
A sample of this Vawtrak installer can be found at: https://malwr.com/analysis/M2I4ZjMxYzJkOWQ1NDU2MDhkYWYyZTI2YzY3YjJkNjY/
Vawtrak stored on the infected computer
In recent weeks, we’ve seen two locations for Vawtrak after it’s installed on a Windows 7 computer:
In both cases, the following registry key was updated to ensure the malware stays active when the computer is restarted.
Shown above: An example of a registry key change made by the malware.
A sample of Vawtrak malware from the infected host can be found at: https://malwr.com/analysis/YjEyYTZkMjdiZjQ0NDNiODk5NmRjYmMxMjY5MGE0ZDk/
The infected computer generates a distinct pattern of network traffic.
Shown above: Wireshark display of traffic from the infected computer.
Highlights from the infection traffic include:
- Request by Word document to get Chanitor: 188.8.131.52 – GET /ca/file.exe
- HTTP request from the infected host: 184.108.40.206 – savepic.su – GET /5201552.png
- Chanitor causes tor traffic to various tor2web domains for the Vawtrak downloader
- Callback traffic from the Vawtrak malware: 220.127.116.11 – woevenglaref.ru – POST /stats/00/counter/0000006F/2C380B4C
As an information stealer, Vawtrak is a concern to anyone using a Windows computer for online banking. We’ve been tracking email campaigns spreading Vawtrak since the fall of last year. Hopefully, this blog entry helps people understand a Vawtrack infection chain caused by malicious Word documents.