Waski loader is used to distribute the banker Dyreza Trojan
We have already written several times about banking Trojan programs, and also laid out their detailed research [ 1 ] [ 2 ] [ 3 ] [ 4 ]. Banking malware is used by attackers to obtain confidential banking information of users. From a technical point of view, this is done by compromising the process of a web browser or an application (standalone app) for working with online banking.
In addition to phishing emails and exploit kits, banker Trojans can spread using other malicious programs, so-called. downloaders or downloaders. In this scheme, some cybercriminals pay others for distributing malware to computers already infected with the loader. One of these loaders is Win32 / TrojanDownloader.Waski .
')
Typically, loaders are compact in size and specialize only in performing one task: downloading a victim to a victim’s computer, which will be a real payload. According to our ESET Live Grid statistics, Waski is one of the most common malware and regularly hits our monthly threat ratings. The first Waski samples were found in Germany and Switzerland, and then in other regions, including Australia, New Zealand, Ireland, the United Kingdom, Canada, and the United States.
Fig. Geography of distribution of Win32 / TrojanDownloader.Waski (April 2, 2015).
Since the beginning of 2015, we have seen a significant increase in the number of detections of this loader. This is no coincidence, as more and more cybercriminals use Waski to spread their malware.
Fig. The increase in the number of Waski detections since the beginning of 2015
Attackers use phishing emails to spread Waski. Attached to the message is an attachment in the form of an archive with a malicious program inside. The subject of the message, as well as its content, is written in English.
Fig. An example of a phishing message.
The picture above shows an example of a typical message by which attackers spread Waski. In this case, the email was sent, ostensibly, on behalf of the company. The archive contains the executable file Waski. After its launch on the system, it starts downloading other malware to the computer from the specified URLs.
Waski is popular with attackers, who use it to distribute their malware. We found that the bootloader is used to distribute a banking Trojan program called Dyre or Dyreza, which is detected by ESET AV products like Win32 / Battdil and Win64 / Battdil . Previously, users of Bank of America became victims of this banking Trojan.
The Waski executable file itself is distributed as an executable file with a PDF file icon to put the users to their vigilance. After its launch on the system, the bootloader checks the IP address of the victim’s computer using the checkip.dyndns service. Using this address, as well as other information about the victim's computer (computer name, Windows version, service package number), the malicious code generates a unique identifier and sends it to a remote C & C server.
After this, the malicious code downloads an encrypted file from the remote server that has the PDF extension. In fact, this file is not a real PDF file, but a combination of two files: a Win32 / Battdil banking trojan and a regular PDF file. Then Waski again contacts his C & C server and informs him of the successful compromise of the system.
Fig. An example of Waski interaction with a C & C server. Red indicates the process of downloading the above encrypted file.
The Dyreza malware (Win32 / Battdil) consists of two parts: an injector (injector) and a payload (payload). The injector is an executable EXE file and specializes in introducing a payload (DLL) into the operating processes of web browsers. After that, the payload begins its work and perform its main task - to intercept confidential online banking data. The malicious code Dyreza can also modify the online banking web pages so that the user is prompted to enter confidential credit card information, such as a PIN code. This information is then sent over a secure SSL connection to the C & C server of the attackers, in addition, the Invisible Internet Project (I2P) mechanism can be used to interact with the C & C server.
In addition to phishing emails and exploit kits, banker Trojans can spread using other malicious programs, so-called. downloaders or downloaders. In this scheme, some cybercriminals pay others for distributing malware to computers already infected with the loader. One of these loaders is Win32 / TrojanDownloader.Waski .
')
Typically, loaders are compact in size and specialize only in performing one task: downloading a victim to a victim’s computer, which will be a real payload. According to our ESET Live Grid statistics, Waski is one of the most common malware and regularly hits our monthly threat ratings. The first Waski samples were found in Germany and Switzerland, and then in other regions, including Australia, New Zealand, Ireland, the United Kingdom, Canada, and the United States.
Fig. Geography of distribution of Win32 / TrojanDownloader.Waski (April 2, 2015).
Since the beginning of 2015, we have seen a significant increase in the number of detections of this loader. This is no coincidence, as more and more cybercriminals use Waski to spread their malware.
Fig. The increase in the number of Waski detections since the beginning of 2015
Attackers use phishing emails to spread Waski. Attached to the message is an attachment in the form of an archive with a malicious program inside. The subject of the message, as well as its content, is written in English.
Fig. An example of a phishing message.
The picture above shows an example of a typical message by which attackers spread Waski. In this case, the email was sent, ostensibly, on behalf of the company. The archive contains the executable file Waski. After its launch on the system, it starts downloading other malware to the computer from the specified URLs.
Waski is popular with attackers, who use it to distribute their malware. We found that the bootloader is used to distribute a banking Trojan program called Dyre or Dyreza, which is detected by ESET AV products like Win32 / Battdil and Win64 / Battdil . Previously, users of Bank of America became victims of this banking Trojan.
The Waski executable file itself is distributed as an executable file with a PDF file icon to put the users to their vigilance. After its launch on the system, the bootloader checks the IP address of the victim’s computer using the checkip.dyndns service. Using this address, as well as other information about the victim's computer (computer name, Windows version, service package number), the malicious code generates a unique identifier and sends it to a remote C & C server.
After this, the malicious code downloads an encrypted file from the remote server that has the PDF extension. In fact, this file is not a real PDF file, but a combination of two files: a Win32 / Battdil banking trojan and a regular PDF file. Then Waski again contacts his C & C server and informs him of the successful compromise of the system.
Fig. An example of Waski interaction with a C & C server. Red indicates the process of downloading the above encrypted file.
The Dyreza malware (Win32 / Battdil) consists of two parts: an injector (injector) and a payload (payload). The injector is an executable EXE file and specializes in introducing a payload (DLL) into the operating processes of web browsers. After that, the payload begins its work and perform its main task - to intercept confidential online banking data. The malicious code Dyreza can also modify the online banking web pages so that the user is prompted to enter confidential credit card information, such as a PIN code. This information is then sent over a secure SSL connection to the C & C server of the attackers, in addition, the Invisible Internet Project (I2P) mechanism can be used to interact with the C & C server.
Source: https://habr.com/ru/post/256971/
All Articles