Australia and New Zealand are most affected

Apr 10, 2015 14:56 GMT  ·  By

Antivirus detections for Waski, a program used to download other pieces of malware, have increased recently as it has been observed in malicious emails carrying Dyre Trojan that targets customers of different major banks across the world.

A few weeks back, its activity was spotted to have risen in Switzerland and Germany, but more recent telemetry data from ESET antivirus company shows that it is occurring with increased frequency particularly in Australia and New Zealand.

Other countries with a high infection rate from Waski include Ireland, UK, Canada, and the US.

Malware hides under PDF icon

“Since the beginning of 2015 we have seen a significant increase in these detections. This is no coincidence as more and more criminals are using Waski to spread their malware on the Internet,” the researchers say.

The downloader is not used exclusively with Dyre, also known as Dyreza, and it can also funnel in other families of malware.

Discovered in late 2013, Waski is delivered to users via email that lures the recipient to open an attachment that purports to be a document explaining in more detail the matter presented in the body of the message.

During the analysis of the campaign, security researchers at ESET have observed that the downloader masquerades as a PDF file by employing the Adobe icon for this type of items; however, a look at the extension reveals that it is, in fact, an executable (EXE) file.

Waski assigns an ID to the infected system before getting Dyre

The moment it is launched, Waski verifies the IP address of the compromised computer and then calculates a unique ID number that is sent to its command and control (C&C) server.

The payload downloaded comes under the form of another PDF file that also has the right extension, but this one also includes Dyre banking Trojan.

On a compromised computer, Dyre can intercept credentials from a large list of websites for financial institutions when accessing them via any of the major web browsers (Internet Explorer, Google Chrome, Mozilla Firefox).

The sites loaded on the victim’s system are fakes, as they are manipulated in real time by the malware to show extra fields for collecting sensitive information that leads to access to the victim’s bank account or to the possibility to make online purchases on their behalf.

Recorded detection for Waski downloader
Recorded detection for Waski downloader

Photo Gallery (2 Images)

Australia and New Zealand are most affected, ESET telemetry shows
Recorded detection for Waski downloader
Open gallery