It’s not as common as it once was, but malicious spam that infects users with the Pony and Vawtrak malware is still making its rounds in the wild.
On 10 January, Brad Duncan of the SANS Internet Storm Center received what appeared to be a parking ticket notification.
But it wasn’t that at all. As he explained in a blog post:
“The link from the malspam downloaded a Microsoft Word document. The document contains a malicious VB macro described has Hancitor, Chanitor or Tordal. I generally call it Hancitor. If you enable macros, the document retrieves a Pony downloader DLL. The Pony downloader then retrieves and installs Vawtrak malware.”
So just what is Vawtrak?
Vawtrak is a trojan that is, more often than not, distributed to users via malicious Microsoft Word documents.
Once Vawtrak infects a PC, it is capable of logging keystrokes, taking screenshots, and hijacking webcams. It also opens a remote access backdoor that allows anyone who controls it to steal files, digital certificates, and passwords from the victim’s computer.
No wonder some suspect Vawtrak helped steal thousands of MailChimp account credentials back in November 2016.
In this most recent attack, the malware initializes as soon as the user begins to browse the web.
The fact that users continue to fall for attacks like this can be disheartening at times, so much so that some in the security community say individuals like Duncan are wasting his breath. But he doesn’t agree:
“That attitude only encourages the criminal groups behind malspam. For various reasons, many environments don’t follow best security practices, and they’re still vulnerable. If we discuss on-going waves of malspam in high-visibility forums like this one, more people will be aware of the threat.”
We share Duncan’s point of view. With that in mind, users can protect themselves against spammed-out malware campaigns, including the one Duncan detected, by avoiding suspicious links and email attachments.
Users should also consider disabling macros for Microsoft Word documents outright by following this guide. If you decide to take that route, don’t let ANYONE convince you into re-enabling them.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.