Vawtrak

Vawtrak is a malicious software (malware) designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Vawtrak steals personal data, disrupts operations, and can even hold data hostage for ransom. The infection process begins when an executable file is run, which then downloads Pony and Vawtrak malware variants to steal data. H1N1, a loader malware variant, has been known to deliver Pony DLLs and Vawtrak executables to infected machines. The malware's operation involves copying itself to "%system32%" and creating a registry run key entry for persistence. Upon execution, it communicates with an attacker-controlled website to download a variant of the Pony malware, "pm.dll", along with a standard Vawtrak trojan. As Brad Duncan from the SANS Internet Storm Center warns, documents containing a malicious VB macro described as Hancitor, Chanitor, or Tordal can retrieve a Pony downloader DLL upon enabling macros. This Pony downloader then retrieves and installs the Vawtrak malware. In August, Palo Alto Networks identified a shift in the attack strategy of a Hancitor downloader variant. Instead of leveraging the latest incarnation of H1N1, it distributed the Pony and Vawtrak executables. Additionally, a custom crypter was discovered to be used for both TrickLoader and Vawtrak, as well as Pushdo and Cutwail malware. Once downloaded and executed, the malware drops an intermediate payload that further downloads a Pony DLL and Vawtrak executable, which perform data theft and connect to a command and control (C2) server.