Saturday, June 14, 2025
HomeMalwareVawtrak malware spread via toxic Word documents Beware poisoned parking tickets

Vawtrak malware spread via toxic Word documents Beware poisoned parking tickets

Published on

SIEM as a Service

Follow Us on Google News

Pernicious spam (malspam) utilizing Microsoft office records with Hancitor-based Visual Basic (VB) macros to send Pony and Vawtrak. Regardless it happens,And A report Said  this one from 2016-12-19, where Hancitor/Pony/Vawtrakmalspamwas disguised as a LogMeIn account notification ,And apparently, there’s been a recent lull in Hancitor/Pony/Vawtrakmalspam

Once Vawtrak infects a PC, it is capable of logging keystrokes, taking screenshots, and hijacking webcams. It also opens a remote access backdoor that allows anyone who controls it to steal files, digital certificates, and passwords from the victim’s computer..

It’s not as common as it once was, but malicious spam that infects users with the Pony and Vawtrak malware is still making its rounds in the wild.

- Advertisement - Google News

what is Vawtrak

Vawtrak is an information stealing malware family that is primarily used to gain unauthorised access to bank accounts through online banking websites. Machines infected by Vawtrakform part of a botnet that collectively harvests login credentials for the online accounts to awide variety of financial and other industry organisations.

These stolen credentials are used,in combination with injected code and by proxying through the victim’s machine, to initiatefraudulent transfers to bank accounts controlled by the Vawtrak botnet administrators.

Brad Duncan ,Explained this In SANS blog,

” The link from the malspam downloaded a Microsoft Word document.  The document contains a malicious VB macro described has Hancitor, Chanitor or Tordal.  I generally call it Hancitor.  If you enable macros, the document retrieves a Pony downloader DLL.  The Pony downloader then retrieves and installs Vawtrak malware. “

On 10 January, Brad Duncan of the SANS Internet Storm Center received what appeared to be a parking ticket notification.

Flow chart of the infection process. source :SANS

Infection traffic after activating macros in the Word document.

Duncan conclude in his Article ,

we often become jaded as yet another wave of malspam does the same thing it’s done before.  Patterns behind such activity are often well-documented. hat attitude only encourages the criminal groups behind malspam.

For various reasons, many environments don’t follow best security practices, and they’re still vulnerable.  If we discuss on-going waves of malspam in high-visibility forums like this one, more people will be aware of the threat.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Kali Linux 2025.2 Released: New Tools, Smartwatch and Car Hacking Added

Kali Linux, the preferred distribution for security professionals, has launched its second major release...

Arsen Launches AI-Powered Vishing Simulation to Help Organizations Combat Voice Phishing at Scale

Arsen, the cybersecurity startup known for defending organizations against social engineering threats, has announced...

NIST Releases New Guide – 19 Strategies for Building Zero Trust Architectures

The National Institute of Standards and Technology (NIST) has released groundbreaking guidance to help...

Spring Framework Flaw Enables Remote File Disclosure via “Content‑Disposition” Header

A medium-severity reflected file download (RFD) vulnerability (CVE-2025-41234) in VMware's Spring Framework has been...

Credential Abuse: 15-Min Attack Simulation

Credential Abuse Unmasked

Credential abuse is #1 attack vector in web and API breaches today (Verizon DBIR 2025). Join our live, 15-min attack simulation with Karthik Krishnamoorthy (CTO - Indusface) and Phani Deepak Akella (VP of Marketing - Indusface) to see hackers move from first probe to full account takeover.

Discussion points


Username & email enumeration – how a stray status-code reveals valid accounts.
Password spraying – low-and-slow guesses that evade basic lockouts.
Credential stuffing – lightning-fast reuse of breach combos at scale.
MFA / session-token bypass – sliding past second factors with stolen cookies.

More like this

Cybercriminals Exploiting Expired Discord Invite Links to Deploy Multi-Stage Malware

Recent investigations by Check Point Research have uncovered a sophisticated malware campaign that leverages...

Interpol Dismantles 20,000 Malicious IPs and Domains Tied to 69 Malware Variants

In a landmark global cybercrime crackdown, INTERPOL’s Operation Secure has seen the takedown of...

New Secure Boot Vulnerability Allows Attackers to Install Malware in PC and Server Boot Processes

Security researchers from Binarly have uncovered a major software vulnerability in the Unified Extensible...