Vawtrak

Also known as Neverquest or Snifula, Vawtrak is a descendent of the Gozi banking trojan. First discovered in 2013, Vawtrak was active in geographically targeted campaigns and employs a Cybercrime-as-a-Service business model. This is not unique to Vawtrak, as other trojans, including Gameover Zeus, also use this business model. Instead of selling the malware outright, Vawtrak’s authors offer malware delivery based on a service agreement. For example: A Number of Passwords stolen from X number of Users, using bank Y in country Z.28 There have been a few technical papers detailing the analysis of the Vawtrak malware and its evolution over the years. In January 2017, Vawtrak’s alleged author, Russian national Stanislav Vitaliyevich Lisov, who went by the moniker “Black” and “Blackf,” was arrested and as of February 2019, pled guilty to creating, running, and infecting users with the Vawtrak banking trojan.30 Vawtrak’s activity declined after Lisov’s arrest, however, another banking trojan, Bokbot (also known as IcedID) has been connected to the group behind Vawtrak.