Deadly combination of Upatre and Dyre Trojans still actively targeting users

Upatre (or Waski) is a downloader Trojan that has lately become the malware of choice for cyber crooks to deliver additional, more dangerous malware on users’ computers.

A few weeks ago, Swiss and German users were targeted with email campaigns attempting to deliver it. Now the criminals have shifted to targeting English-speaking users in the UK, Ireland, US, Canada, Australia and New Zealand.

The threat comes via a seemingly harmless email coming from an employee of a random company such as this one, usually consisting of a short line, urging recipients to download the attached ZIP or PDF file.

The attachment is actually an executable (a .exe file).

“Once it’s started, the malware first checks the victim’s public IP address by requesting it from checkip.dyndns. Using the IP and other information of the victim’s computer (computer name, Windows version, and service pack number), a unique identification number is calculated and then sent to the Waski command-and-control server (C&C),” shared ESET’s Raphael Labaca Castro.

“Then Waski downloads an encrypted file (usually from a compromised website) that has a PDF file extension. But it is not a true PDF file; instead, it is a merge of two files: the malware Win32/Battdil and a regular PDF file. After that, Waski again contacts its C&C server and reports the successful compromise.”

The Battdil Trojan is better known by its other name: Dyre/Dyreza. It can intercept online banking credentials, and shows an alternative site to users wanting to access their bank’s website – one that requires them to enter additional information that can be used by the attackers to empty their accounts.

More likely than not, this latest spotted campaign is part of a recently discovered larger one (Dyre Wolf) that targets businesses around the world.