Trojan downloader Waski steals login credentials
Banking malware Waski is on the rise. This trojan is not really a new threat, it was discovered more than a year back, at the end of 2013, but what is troubling is that it is becoming more and more widespread and claiming victims all around the world. As reported by welivesecurity, the malware initially targeted Switzerland and Germany, but is now beginning to appear in English-speaking regions like Australia, New Zealand, Ireland, United Kingdom, Canada, and the United States. Instead of directly doing its job, Waski downloads another trojan know as Battdil which steals login data by intercepting it or by redirecting users to a phishing website.
Fake emails used to spread Trojan
Waski is a trojan downloader spread through fake emails like the one shown below. The malware writers attempt to trick users into thinking that the attachment is a pdf file by giving it a suitable icon. Unwary users may mistake it for a document from their workplace, but on examination it is clear that the file is an executable. On running the file, Waski loads into memory, contacts its command and control servers and downloads the additional malware components. Waski also creates a unique identification number for the infected computer and reports a successful compromise. The real threat here though, is the downloaded trojan, Battdil.
Banking Trojan steals login data
The downloaded banking trojan Batdill, consists of two main components, an injector and a payload. The method of infection used is dll injection into a windows process. After successfully infiltrating the system, batdill intercepts bank login credentials from popular browsers like IE and Chrome. It also redirects users to modified/manipulated versions of bank websites which may look similar, but are traps to make the user spill out private data. Such a trojan in conjunction with phishing websites can be a powerful tool to gain access to unauthorized bank information. After making the steal, the trojan sends the information home anonymously using the I2P (Invisible Internet Project).
It is always best to avoid threats like these in the first step. A careful inspection of email attachments can easily prevent such infections and the golden rule: do not open attachments from unknown sources, also applies here.
Since Waski is a trojan downloader, a good antivirus and firewall is also enough to keep you safe.
Have a nice (trojan-free) day!
New Cryptolocker copycat PClock2 discovered that targets over 2,500 file extensions