Fifteen Canadian financial institutions have been targeted by new a malware attack aimed at stealing passwords, says a Danish security company.
Heimdal Security, which makes data protection software for Windows PCs, said Tuesday it has detected an ongoing attack that uses what has been called the Vawtrak, Snifula or Neverquest banking trojan. The last versions detected are able to capture videos and screenshots and launch man-in-the-middle attacks, the company said.
“Vawtrak is one of the most dangerous pieces of financial stealing malware detected lately by our security specialists,” the note says.
The malware can be spread by phishing messages — in one case pretending to be an Amazon invoice — using a Web-injection method similar to the Zeus family of malware with the goal of altering the content of several specified banking websites including the Royal Bank, Desjardins, Tangerine.ca (the online bank of Scotiabank), and TD Canada Trust, as well as the Bank of America.
The size of the BOTnet depends on the campaign, Heimdal says, but it already has identified approximately 15.000 BOTs in the Canadian targeted attack, and 90 per cent of these are located in Canada based on geoIP.
“To escape antivirus detection, the web-injection process allows online criminals to circumvent security login methods, such as Two Factor Authentication,” says the note. “To complicate a potential detection or removal process, the cyber criminals use the retrieved credentials to log into the banking accounts via virtual network computing, which is a shared desktop system that allows remote control over the victim’s computer. Since the connection request to the online banking account comes from the victim’s computer, it is almost impossible for the banking account to notice the online attack that takes place.”
In January we reported that SentinalOne had found evidence of an attack on financial institutions, including Canadian banks, that replaces login screens on user PCs.
Vawtrak is delivered through drive-by downloads in compromised websites or by injecting malicious code on legitimate websites, the Heimdal note says, but it also spreads through phishing campaigns in social media networks and spam. Heimdal says it has found command and control servers linked to this particular attack are in Russia.
In a statement Kate Payne, a spokesman for the Canadian Bankers Association, said that “Banks are aware of the Vawtrak aka Neverquest Trojan. They have sophisticated security systems in place to protect customers’ personal and financial information. As part of a normal course of business, the banks’ actively monitor their networks and continuously conduct routine maintenance to help ensure that online threats do not harm their servers or disrupt service to customers.”
She also noted the CBA, a industry group for financial institutions, has a Web site with advice to consumers on how to protect their PCs and mobile devices to avoid downloading malware.
Meanwhile earlier this month anti-virus maker AVG Technologies issued a report on Vawtrak, following up on a notice posted in January by Virus Bulletin.
AVG said Vawtrak “is like a Swiss Army knife for its operators because of its wide range of applications and available features.”
“The most effective way to avoid infection by Vawtrak is to stay vigilant about online phishing and scams,” it adds.
AVG says once installed on a PC the malware disables antivirus protection, steals passwords, digital certificates, browser history, and cookies. It can log keystrokes; take screenshots of desktop or particular windows with highlighted mouse clicks, capture user actions on desktop in an AVI video which it sends to a command and control server. It can also open a VNC11 (Virtual Network Computing) channel for a remote control of the infected machine.