As financial institutions scramble to prevent more attacks like the cyber heists that targeted members of the SWIFT financial messaging service, a new report offered additional cause for the sector to improve information sharing practices by providing insights into the distribution infrastructure of Vawtrak v2, the two-year-old banking Trojan.
“Chasing Cybercrime: Network insights into Vawtrak v2” from the Barcelona-based threat intelligence firm Blueliv, found two distinct distribution infrastructures, known as the Moskalvzapoe and Vawtrak groups.
Blueliv Labs Vice President of Threat Intelligence Ramon Vicens told SCMagazine.com the two groups provide the “grabber” and “loader” functions. Moskalvzapoe uses a spam and email vector, while the Vawtrak infrastructure distributes the malware by deploying a botnet using various domains. The group registers on average 40 new domains per month, with each domain linked to a different IP address.
The report found that the botnet exfiltrated more than 2.5 million credentials. Approximately 82% of its infections targeted the U.S.
First discovered by Trend Micro in June 2014, Vawtrak has reemerged as a strain that Blueliv calls “Vawtrak v2.” The Trojan has grown more stealthy and sophisticated in its attacks targeting financial institutions.
Vicens said the Vawtrak and Moskalvzapoe groups use very different infrastructures. “That is clear evidence of information-sharing in the underground market,” he said. He noted that the Moskalvzapoe group appears to be based in Eastern Europe, perhaps in Romania or the Ukraine. However, he said he does not have suspicions of where the group originated. He said the Vawtrak group has high-level technical knowledge and contacts in the underground world.
“The bad guys are already sharing information and vendors are not sharing information,” he told SCMagazine.com. “That is something that we want to change.”