Vawtrak malware spread via toxic Word documents is still a thing apparently

Beware poisoned parking tickets!

David bisson
David Bisson


It’s not as common as it once was, but malicious spam that infects users with the Pony and Vawtrak malware is still making its rounds in the wild.

On 10 January, Brad Duncan of the SANS Internet Storm Center received what appeared to be a parking ticket notification.

2017 01 11 isc diary image 01
Fake parking ticket notification. (Source: SANS Internet Storm Center)

But it wasn’t that at all. As he explained in a blog post:

“The link from the malspam downloaded a Microsoft Word document. The document contains a malicious VB macro described has Hancitor, Chanitor or Tordal. I generally call it Hancitor. If you enable macros, the document retrieves a Pony downloader DLL. The Pony downloader then retrieves and installs Vawtrak malware.”

2017 01 11 isc diary image 02
Flow chart of the infection process. (Source: SANS Internet Storm Center)

So just what is Vawtrak?

Vawtrak is a trojan that is, more often than not, distributed to users via malicious Microsoft Word documents.

Once Vawtrak infects a PC, it is capable of logging keystrokes, taking screenshots, and hijacking webcams. It also opens a remote access backdoor that allows anyone who controls it to steal files, digital certificates, and passwords from the victim’s computer.

No wonder some suspect Vawtrak helped steal thousands of MailChimp account credentials back in November 2016.

Sign up to our free newsletter.
Security news, advice, and tips.

In this most recent attack, the malware initializes as soon as the user begins to browse the web.

2017 01 11 isc diary image 06
Vawtrak callback traffic seen only after trying to browse the web. (Source: SANS Internet Storm Center)

The fact that users continue to fall for attacks like this can be disheartening at times, so much so that some in the security community say individuals like Duncan are wasting his breath. But he doesn’t agree:

“That attitude only encourages the criminal groups behind malspam. For various reasons, many environments don’t follow best security practices, and they’re still vulnerable. If we discuss on-going waves of malspam in high-visibility forums like this one, more people will be aware of the threat.”

We share Duncan’s point of view. With that in mind, users can protect themselves against spammed-out malware campaigns, including the one Duncan detected, by avoiding suspicious links and email attachments.

Users should also consider disabling macros for Microsoft Word documents outright by following this guide. If you decide to take that route, don’t let ANYONE convince you into re-enabling them.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.