Trojan downloader Waski steals login credentials


16908430_sBanking malware Waski is on the rise. This trojan is not really a new threat, it was discovered more than a year back, at the end of 2013, but what is troubling is that it is becoming more and more widespread and claiming victims all around the world. As reported by welivesecurity, the malware initially targeted Switzerland and Germany, but is now beginning to appear in English-speaking regions like  Australia, New Zealand, Ireland, United Kingdom, Canada, and the United States. Instead of directly doing its job, Waski downloads another trojan know as Battdil which steals login data by intercepting it or by redirecting users to a phishing website.

Fake emails used to spread Trojan

Waski is a trojan downloader spread through fake emails like the one shown below. The malware writers attempt to trick users into thinking that the attachment is a pdf file by giving it a suitable icon. Unwary users may mistake it for a document from their workplace, but on examination it is clear that the file is an executable. On running the file, Waski loads into memory, contacts its command and control servers and downloads the additional malware components. Waski also creates a unique identification number for the infected computer and reports a successful compromise. The real threat here though, is the downloaded trojan, Battdil.

Banking Trojan steals login data

The downloaded banking trojan Batdill, consists of two main components, an injector and a payload. The method of infection used is dll injection into a windows process. After successfully infiltrating the system, batdill intercepts bank login credentials from popular browsers like IE and Chrome. It also redirects users to modified/manipulated versions of bank websites which may look similar, but are traps to make the user spill out private data. Such a trojan in conjunction with phishing websites can be a powerful tool to gain access to unauthorized bank information. After making the steal, the trojan sends the information home anonymously using the I2P (Invisible Internet Project).

It is always best to avoid threats like these in the first step. A careful inspection of email attachments can easily prevent such infections and the golden rule: do not open attachments from unknown sources, also applies here.

Since Waski is a trojan downloader, a good antivirus and firewall is also enough to keep you safe.

Have a nice (trojan-free) day!

Emsisoft Endpoint Protection: Award-Winning Security Made Simple

Experience effortless next-gen technology. Start Free Trial

 

Senan Conrad

Senan Conrad

Senan specializes in giving readers insight into the constantly and rapidly changing world of cybersecurity. When he’s not tapping away at his keyboard, he enjoys drinking a good coffee or tinkering in his workshop.

What to read next

Newsletter

Malware never sleeps. Be sure to stay up-to-date on emerging threats.

Emsisoft > Blog > Malware Lab > Security Alerts > Trojan downloader Waski steals login credentials