A new powerful variant of the “Vawtrak” malware, also known as “Neverquest” or “Snifula” has been discovered in the wild. According to malware researchers, “Vawtrak” is one of the most dangerous malicious codes that is threatening systems worldwide. The malware is a financial malware and has new features which enable it to send and receive data through encrypted favicons spread over the anonymizing Tor network. “Vawtrak” uses steganography to hide the update file in the favicons; each favicon is approximately 4 kB. “Vawtrak” implements injections mechanisms and API Hooking in order to steal financial information, FTP credentials, private keys and execute banking transactions from victim’s PC hiding its activities. The variant of Vawtrak detected able to run man-in-the-middle attacks and grab videos and screenshots from the compromised host. The infections of the “Vawtrak” malware are most prevalent in the Czech Republic, USA, UK, and Germany.
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street