Security researcher has discovered some new features in the most dangerous Vawtrak, aka Neverquest, malware that allow it to send and receive data through encrypted favicons distributed over the secured Tor network.

The researcher, Jakub Kroustek from AVG anti-virus firm, has provided an in-depth analysis (PDF) on the new and complex set of features of the malware which is considered to be one of the most dangerous threats in existence.

Vawtrak is a sophisticated piece of malware in terms of supported features. It is capable of stealing financial information and executing transactions from the compromised computer remotely without leaving traces. The features include videos and screenshots capturing and launching man-in-the-middle attacks.

AVG anti-virus firm is warning users that it has discovered an ongoing campaign delivering Vawtrak to gain access to bank accounts visited by the victim and using the infamous Pony module in order to steal a wide range of victims' login credentials.

The Vawtrak Banking Trojan spreads by using one of the three ways:
  • Drive-by download – spam email attachments or links to compromised sites
  • Malware downloader – like Zemot or Chaintor
  • Exploit kit – like as Angler Exploit Kit
According to the researcher, Vawtrak is using the Tor2Web proxy to receive updates from its developers.
"Of particular interest from a security standpoint is that by using Tor2web proxy, it can access update servers that are hosted on the Tor hidden web services without installing specialist software such as Torbrowser," Kroustek says. "Moreover, the communication with the remote server is done over SSL, which adds further encryption."
The latest Vawtrak sample uses steganography to hide update files within favicons in order to conceal the malicious downloads. Favicons are the small images used by the websites to add icon to website bookmarks and browser tabs.

Once executed in the victim's machine, Vawtrak performs the following actions:
  • Disables antivirus protection.
  • Inject custom code in a user-displayed web pages (this is mostly related to online banking)
  • Steals passwords, digital certificates, browser history, and cookies.
  • Surveillance of the victim (key logging, taking screenshots, capturing video)
  • Creates a remote access to a user's machine (VNC, SOCKS)
  • Automatic updating.
Vawtrak supports three major browsers to operate in – Internet Explorer, Firefox, and Chrome. It also supports password stealing from the other browsers.

Based on their statistics, Vawktrak is infecting banking, gaming and social network users mainly across the countries including United Kingdom, the United States, and Germany. Although, users in Australia, New Zealand, and across Europe are also affected.

AVG concluded following their analysis of the malware that "Vawtrak is like a Swiss Army knife for its operators because of its wide range of applications and available features."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.