Win32/TrojanDownloader.Wauchos, a Trojan downloader that peaked briefly back in May, is enjoying a resurgence in the UK and Europe thanks to an energetic spam campaign.
Stephen Cobb, my friend and colleague at ESET North America brought to my attention this morning a spike, local to the United Kingdom, in detections of Win32/TrojanDownloader.Wauchos. This is interesting, but kind of strange, considering that the malware in question goes back to May 2012 and we haven't had to modify our detection (signature, if you must…) for quite a while.
At the moment it accounts for 24.69% of UK detections picked up by our telemetry – it accounts for 0.83% of detections worldwide, and previously peaked at 3.23% worldwide on May 14th. While highly generic detections can fluctuate wildly in volume and locality, it's kind of unusual for a more specific detection to show up again in such unusually high volumes.
As you can see from the screenshot It's also spiking in Germany: not quite so dramatically (14.3%, which is still pretty dramatic, but doesn't merit a bright red). It's also presenting an upward trend – but in much smaller volumes so far – in other parts of Europe. If you check the actual map on Virus Radar you'll see that its prevalence is only very slightly above the average in the US.
White areas are those for which we have no telemetry data.
Our data from-the-cloud suggests distribution by spam campaign, using file names like E-ticket-BritishAirways.pdf.exe, Vodafone_MMS.jpg.exe, Facebook-message-Foto.jpeg.exe, and Pay_by_Phone_Parking_Receipt.pdf.exe. (Tip of the hat to Pierre-Marc and Dusan for the information about the spam campaign.)
Obviously, we have good detection coverage, and given the age of the malware, I'd expect other vendors to be on top of it too, so while there are obviously people out there who don't have or don't maintain good AV protection (and may be fooled by this quaintly old-fashioned trick of giving malware a double filename extension to make it harder to spot that it's actually an .EXE), this apparent spike may represent an intensive spam campaign rather than an epidemic of actual infections.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow