All the news Subscribe to news
11.05 Increased anti-virus engine stability and other improvements in updated Dr.Web CureIt!
May 11, 2022
Adjustments have been made to Dr.Web Virus-Finding Engine to improve its stability.
Meanwhile, the changes affecting Dr.Web Scanning Engine include:
- The new ability to use file masks to define exceptions for files and paths inside an archive;
- A fix for an invalid-path issue involving files being restored from the Quarantine to their original location in a network directory;
- A newly added icon for the Dr.Web Scanning Engine process.
Furthermore, the trusted applications database has also been updated.
April 27, 2022
The following components have been updated in all of the products listed.
Dr.Web Scanning Engine (12.6.9.202203290):
- File masks can now be used to define exceptions for files and paths inside an archive.
- An issue that might cause errors while threats were being neutralised has been resolved.
- Also addressed was an invalid-path issue arising when a file was being restored from the Quarantine to its original location in a network directory.
- An icon for the Dr.Web Scanning Engine process has been added.
Dr.Web Control Service (12.12.0.03180):
- The new module Dr.Web WSC Service is now used to integrate the applications with Windows Security Center.
- In debug mode, additional information is now logged whenever items are added or removed from the allowed devices list.
- An issue causing incorrect values to be set for the Joke, Hacktool and Riskware categories when Dr.Web's settings (Dr.Web 12.0 for Windows) were reset to default has been resolved.
- A threat-detection message typo has been corrected for the Windows Event Log.
- Adjustments have been made to the routines involving blocked licenses.
- A defect that might prevent the applications from being updated automatically if the system time was changed has been eliminated.
- The security of the applications has been improved.
Dr.Web Protection for Windows (12.06.10.04180), the self-protection module:
- Enhanced encryption ransomware detection.
Dr.Web ES Service (12.12.0.03220) has been updated in Dr.Web Enterprise Security Suite 12.0 and 13.0, and Dr.Web AV-Desk 13.0’s subscription-based Dr.Web Anti-virus software:
- Also addressed was an error preventing the Office Control settings from being retrieved when the subscription type was changed from home to business (Dr.Web AV-Desk).
- An issue causing a scheduled task to be performed before a connected task was complete (the option Wait for the completion of the program was toggled on) has been resolved.
- The applications' logging functionality has been improved.
- The security of the applications has been enhanced.
Furthermore, Dr.Web ES Update Helper (1.0.3.01280) has also been updated in these products to further boost their security. Dr.Web Mesh Client (12.5.2.202203210) has been made current in Dr.Web Enterprise Security Suite 13.0 and Dr.Web AV-Desk 13.0’s subscription-based Dr.Web Anti-virus software.
Lua-script for antispam (12.5.8.04140) has been updated to avoid errors in log files while the applications were being installed or removed (relevant for Dr.Web Security Space 12.0, Dr.Web Enterprise Security Suite 12.0 and 13.0 and Dr.Web AV-Desk 13.0’s subscription-based Dr.Web Anti-virus software).
In addition to all the changes listed above, the following components have been updated:
- Lua-script for av-service, dwprot, spider-g3, traffic-hook (12.10.14.12090) and Lua-script for amsi-plugin, elam (12.10.16.01270) (relevant for all the updated products);
- Lua-script for device-guard (12.10.14.12090) in Dr.Web Security Space 12.0, Dr.Web Anti-virus 12.0 for Windows Servers, Dr.Web Enterprise Security Suite 12.0 and 13.0, and Dr.Web AV-Desk 13.0’s subscription-based Dr.Web Anti-virus software;
- Lua-script for net-filter (12.10.14.12090) in Dr.Web Security Space 12.0, Dr.Web Anti-virus 12.0, Dr.Web Enterprise Security Suite 12.0 and 13.0, and Dr.Web AV-Desk 13.0’s subscription-based Dr.Web Anti-virus software;
- Products.xml for standalone (12.0.6.07280) in Dr.Web 12.0 applications for Windows;
- Products.xml for es-agent (12.0.4.02070) and Lua-script for es-service (12.5.6.02070) in Dr.Web Enterprise Security Suite 12.0;
- Products.xml for es-agent (13.0.6.07280) and Lua-script for es-service (12.10.14.12090) in Dr.Web Enterprise Security Suite 13.0 and Dr.Web AV-Desk 13.0’s subscription-based Dr.Web Anti-virus software.
Please note that Windows Security Center may display notifications about the anti-virus being disabled and re-enabled as Dr.Web WSC Service gets installed in the system. The anti-virus protection will remain active at all times while the update is being applied.
It will be downloaded and installed automatically; however, a system reboot will be required.
26.04 Dr.Web Virus-Finding Engine's stability improved
April 26, 2022
The update improves the component's stability and introduces minor adjustments.
Dr.Web Virus-Finding Engine has been updated in the following products:
The x64 architecture (products for home use):
- Dr.Web 11.1/12.0/12.5 for macOS
- Dr.Web Anti-virus 11.1 for Linux
- Dr.Web AV-Desk 10.00.1/10.01.0/13 (subscription-based Dr.Web Anti-virus for Unix-like systems)
The x64 architecture (corporate products):
- Dr.Web 11.1 for Unix Server
- Dr.Web 11.1 for Unix Mail Servers
- Dr.Web Anti-virus 11.1 for Internet gateways Unix
- Dr.Web Enterprise Security Suite 10.00.0/10.00.1/10.01.0/11.00/12.00/13 (agent software for Unix-like systems)
- Dr.Web 11.1 for Kerio mail servers (Linux)
The x86 architecture (products for home use):
- Dr.Web Anti-virus 6/11.0/11.1 for Linux
- Dr.Web 9.0/11.0 for macOS
- Dr.Web Security Space 11.5/12
- Dr.Web Anti-virus 11.5/12
- Dr.Web AV-Desk 10.01.0/13 (subscription-based Dr.Web Anti-virus)
The x86 architecture (corporate products):
- Dr.Web 6/11.0/11.1 for Unix Server
- Dr.Web 6/11.0/11.1 for Unix Mail Servers
- Dr.Web Anti-virus 6/11.0/11.1 for Internet gateways Unix
- Dr.Web Anti-virus for Windows Servers (11.5, 12.0)
- Dr.Web 11.5/12 for MS Exchange
- Dr.Web 11.5/12 for IBM Lotus Domino (Windows)
- Dr.Web LiveDisk 9
- Dr.Web Enterprise Security Suite 11.00/12.00/13
The ARM64 architecture (products for home use):
- Dr.Web Anti-virus 11.1 for Linux
- Dr.Web 12.0/12.5 for macOS
- Dr.Web AV-Desk 13 (subscription-based Dr.Web Anti-virus for Unix-like systems)
The ARM64 architecture (corporate products):
- Dr.Web 11.1 for Unix Server
- Dr.Web 11.1 for Unix Mail Servers
- Dr.Web Anti-virus 11.1 for Internet gateways Unix
- Dr.Web Enterprise Security Suite 12/13 (agent software for Unix-like systems)
Dr.Web Virus Finding Engine is a core anti-virus security component that facilitates malware detection and neutralisation and analyses the suspicious behaviour of applications in the protected system.
The update will be downloaded and installed automatically.
April 20, 2022
So, during the promo period, the license price will be reduced from 86.58 Euro to 63.84 Euro
Dr.Web Security Space incorporates the most advanced anti-virus security technologies, whose development and refinement constitute a history that now spans 3 decades. The complete set of security components will neutralise any Internet threats, regardless of where they may choose to compromise a system: Dr.Web protects the file system, filters out spam messages, and prevents users from stumbling upon dangerous websites. With Dr.Web, encryption ransomware is a security hazard no more.
Don't forget that a Dr.Web Security Space license comes with anti-virus protection for Android as a free gift. So, thanks to the promo, you can get an anti-virus for 2 mobile devices simultaneously at no additional cost whatsoever.
Join our celebration and get a great deal on Dr.Web!
18.04 Doctor Web’s March 2022 virus activity review
April 18, 2022
In March, the number of user requests to decrypt files affected by encoders increased by 13.2% compared to February.
Principal trends in March
- An increase in the number of unique threats
- Adware remains the top threat
According to Doctor Web’s statistics service
The most common threats in March:
- Adware.SweetLabs.5
- An alternative App Store and Add-On for Windows GUI (graphical user interface) by the creators of the “OpenCandy" Adware.
- Adware.Downware.19998
- Adware that often serves as an intermediary installer of pirate software.
- Trojan.Siggen17.24247
- Trojan from the Siggen family.
- Adware.OpenCandy.247
- A family of applications that install other software on the system.
- Trojan.AutoIt.710
- A malicious utility program written in AutoIt language and distributed as part of a miner or RAT trojan.
Statistics for malware discovered in email traffic
- W97M.DownLoader.2938
- X97M.DownLoader.922
- A family of downloader trojans that exploit vulnerabilities in Microsoft Office documents. It can also download other malicious programs to a compromised computer.
- Trojan.Siggen17.24247
- Trojan from the Siggen family.
- BackDoor.SpyBotNET.25
- A backdoor written in VB.NET. It can operate with a file system (copy, create, delete catalogs, etc.), terminate processes, and take screenshots.
- HTML.FishForm.279
- A web page spread via phishing emails. It is a bogus authorization page that mimics well-known websites. The credentials that user sends on the page are sent to the attacker.
Encryption ransomware
User requests to decrypt files affected by encoders increased by almost 13.26% compared to February.
Trojan.Encoder.26996 — 26.23%Trojan.Encoder.3953 — 13.99%Trojan.Encoder.567 — 8.04%- Trojan.Encoder.30356 — 1.40%
Trojan.Encoder.11539 — 1.05%
Dr.Web Security Space for Windows protects against encryption ransomware
Dangerous websites
In March 2022, Doctor Web’s analysts’ attention was drawn to increased sites, that supposed to pay money for watching videos. It is assumed that the potential victim will end up on a site where the obligatory part of registration will be the input of bank card number. In fact, the cybercriminals will receive valuable data, and the victim will not be paid anything.
The snapshot shows an example of a website like this. Here are the prices for watching the video and the excited reviews from those who have already allegedly made money on it.
Malicious and unwanted programs for mobile devices
In March, Doctor Web warned users about CoinSteal trojans designed to steal cryptocurrencies from owners of Android and iOS devices. Attackers have embedded malicious applications into some versions of popular crypto wallets such as imToken, MetaMask, Bitpie and TokenPocket to distribute them as original ones. Trojans stole secret seed-phrases needed to access crypto wallets.
Besides that, our virus laboratory found another threats on Google Play. Among them were Android.FakeApp and a trojan called
According to the detection statistics of Dr.Web anti-virus products for Android, in March, the
The following March events related to mobile malware are the most noteworthy:
- A decline in the
Android.Spy.4498 activity - High activity of adware trojans
- The discovery of malicious applications designed to steal cryptocurrencies from Android and iOS device users.
Find out more about malicious and unwanted programs for mobile devices in our special overview.
Find out more with Dr.Web
18.04 Dr.Web Security Space for macOS updated to version 12.6.2
April 18, 2022
Specifically, it eliminates a defect that might prevent Dr.Web from completing its scans of certain files.
The update also corrects texts containing error details and introduces minor tweaks for the Dr.Web cloud service.
To upgrade to Dr.Web Security Space 12.6.2 for macOS, users need to download the new distribution file and install the application on their Macs.
18.04 Doctor Web’s March 2022 review of virus activity on mobile devices
April, 18 2022
In March, the activity of the
In mid-March, Doctor Web reported on the discovery of malicious apps designed to steal cryptocurrencies from Android and iOS-based device users. In addition, new trojans have been uncovered on Google Play throughout the month.
PRINCIPAL TRENDS IN MARCH
- The Android.Spy.4498 trojan activity decrease
- Adware trojans remain highly active
- The discovery of malicious apps designed to steal cryptocurrency from Android and iOS device users
Threat of the month
In March, Doctor Web notified users about the discovery of the CoinSteal trojans. These are targeting both Android and iOS-powered device owners and designed to steal their cryptocurrencies. The malicious actors behind the trojans have modified some versions of popular cryptowallet software, including MetaMask, imToken, Bitpie, TokenPocket, and others. They then spread malicious modifications as genuine and harmless versions.
Below are the examples of the original MetaMask application and its malicious variant operation:
Unbeknownst to users, the trojans stole secret seed phrases provided by victims and sent them to a remote server. The seed phrases are used to access cryptocurrencies stored in the cryptowallets. Our specialists discovered dozens of such trojans. Read more about this threat in our news report.
According to statistics collected by Dr.Web for Android
Android.Spy.4498 - A trojan that steals the contents of other apps’ notifications. It can also download apps and offer users to install them, and can also display various dialog boxes.
Android.HiddenAds .3018Android.HiddenAds .1994- Trojans designed to display obnoxious ads. Trojans of this family are often distributed as popular and harmless applications. In some cases, other malware can install them in the system directory. When these trojans infect Android devices, they typically conceal their presence from the user. For example, they “hide” their icons from the home screen menu.
Android.MobiDash .6932- A trojan that displays obnoxious ads. It is a special software module that the developers incorporate into applications.
Android.Triada .4567- A multifunctional trojan performing various malicious actions. This malware belongs to the trojan family that infects other app processes. Some modifications of this family were found in the firmware of Android devices, which attackers implanted during manufacturing. Some of them can also exploit various vulnerabilities to gain access to protected system files and folders.
Program.FakeAntiVirus .1- The detection name for adware programs that imitate anti-virus software. These apps inform users of non-existing threats, mislead them, and demand they purchase the software’s full version.
- Program.WapSniff.1.origin
- An Android program designed to intercept WhatsApp messages.
Program.SecretVideoRecorder .1.originProgram.SecretVideoRecorder .2.origin- The detection name for various modifications of an application designed to record videos and take photos in the background using Android devices’ built-in cameras. It can operate covertly, allowing disabling notifications about ongoing recordings. It also allows replacing the app’s icon and name with fake ones. This functionality makes this software potentially dangerous.
Program.KeyStroke.3 - An Android application capable of intercepting keystrokes. Some modifications of this software can also track incoming SMS, control call history, and record phone calls.
Tool.SilentInstaller .14.originTool.SilentInstaller .6.originTool.SilentInstaller .13.originTool.SilentInstaller .7.origin- Riskware platforms that allow applications to launch APK files without installation. They create a virtual runtime environment that does not affect the main operating system.
Tool.Packer .1.origin- A packer tool designed to protect Android applications from unauthorized modifications and reverse engineering. This tool is not malicious by itself, but it can be used to protect both harmless and malicious software.
Program modules incorporated into Android applications. These are designed to display obnoxious ads on Android devices. Depending on their family and modifications, they can display full-screen ads and block other apps’ windows, show various notifications, create shortcuts, and load websites.
Adware.SspSdk .1.originAdware.AdPush .36.originAdware.Adpush .6547Adware.Adpush .16510- Adware.Myteam.2.origin
Threats on Google Play
In March, Doctor Web’s malware analysts discovered yet another fake apps from the
In addition, our specialists revealed the
To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web anti-virus for Android.
Your Android needs protection.
Use Dr.Web
- The first Russian anti-virus for Android
- Over 140 million downloads—just from Google Play
- Available free of charge for users of Dr.Web home products
18.04 An increase in malware activity and other events of March 2022
April 18, 2022
April 18, 2022
Other threats in March were CoinSteal trojans designed to steal cryptocurrencies. They attack both Android and iOS users. In addition, new malware was discovered on Google Play.
Read more about these and other events in our review.
18.04 OpenSSL updated for server software in Dr.Web Enterprise Security Suite 13.0 and Dr.Web AV-Desk 13.0
April 18, 2022
Specifically, OpenSSL, which is used by the Dr.Web server, has been updated to version 1.1.1n.
Furthermore, an issue preventing the server cache from being cleared in a timely manner has been addressed.
The server software can be updated via the Dr.Web Global Update System.
14.04 Upgrades in DrWebBot 2.1 for Telegram
April 14, 2022
The update improves link parsing and analysis routines and optimises the scanning procedure for certain types of attachments.
To use DrWebBot, find the Telegram account @DrWebBot (or go to telegram.me/drwebbot) and send it a file or a link. The bot will check it for viruses and report on the results.
April 13, 2022
Minor adjustments have been made to improve the modules' performance.
The update is performed via the Dr.Web repository. Also note that Dr.Web Enterprise Security Suite’s Scanning Server can be updated using the standard .run file updating routine of Dr.Web applications for Unix-like systems.
05.04 Dr.Web Virus-Finding Engine rolled back in Dr.Web series 6-11 products
April 5, 2022
The component’s rollback in Dr.Web anti-virus application versions 6-11 has been done to ensure its stable operation.
Dr.Web Virus-Finding Engine has been updated in the following products:
- Dr.Web Security Space 7/8/9/10/11.0;
- Dr.Web Anti-virus 7/8/9/10/11.0;
- Dr.Web Anti-virus 7/8/10/11.0 for Windows Servers;
- Dr.Web 10.0/11 for MS Exchange;
- Dr.Web 10/11.0 for IBM Lotus Domino;
- Dr.Web ATM Shield 6;
- Dr.Web 6.0 for Kerio mail servers (Windows);
- Dr.Web 6.0 for Kerio Internet gateways (Windows);
- Dr.Web 6.0 for MIMEsweeper;
- Dr.Web LiveDisk 9;
- Dr.Web 6.0 for Qbik WinGate;
- Dr.Web 6.0 for TrafficInspector;
- Dr.Web CureNet! 10/11;
- Dr.Web 11.0 for Microsoft ISA Server and Forefront TMG;
- Dr.Web AV-Desk 10.00.1;
- Dr.Web Enterprise Security Suite 10.00.0/10.00.1/10.01.0.
Furthermore, Dr.Web Scanning Engine (11.5.4.201810010) has been made current in Dr.Web Enterprise Security Suite 10.01.0.
To roll back Dr.Web Virus-Finding Engine to the previous version, a system restart will be required. The corresponding system restart prompt will be displayed by the Dr.Web Enterprise Security Suite 10.01.0 software. Systems running other relevant Dr.Web products must be rebooted manually. Warning: the applications may not be able to operate properly until after a system restart.
We recommend updating the Dr.Web applications to their latest versions to ensure their stable and effective operation.
April 5, 2022
Adjustments have been made to the module's preventive protection routines to avoid potential false positives.
The update will be downloaded and installed automatically.
31.03 Doctor Web presents the virus activity review for February 2022
March 31, 2022
In February, the number of user requests to decrypt files affected by encoders decreased by 10.72% compared with January.
Principal trends in February
- A rise in malware activity
- Adware remains among the top threats
According to Doctor Web’s statistics service
The most common threats in February:
- Adware.SweetLabs.5
- An alternative App Store and Add-On for Windows GUI (graphical user interface) by the creators of Adware, like “OpenCandy".
- Adware.Downware.19998
- Adware that often serves as an intermediary installer of pirate software.
- Adware.OpenCandy.247
- A family of applications that install other software on the system.
- Trojan.AutoIt.710
- Trojan.AutoIt.961
- A malicious utility program written in AutoIt language and distributed as part of a miner or RAT trojan.
Statistics for malware discovered in email traffic
- W97M.DownLoader.2938
- A family of downloader trojans that exploit vulnerabilities in Microsoft Office documents. It can also download other malicious programs to a compromised computer. It’s designed to download more malware onto a compromised computer.
- HTML.Fisher.353
- An HTML phishing page that includes a form for filling in credentials to access an email account.
- BackDoor.SpyBotNET.25
- The emergence of a new backdoor written in Python A backdoor written in VB.NET. It can operate with a file system (copy, create, delete catalogs, etc.), terminate processes, and take screenshots.
- Trojan.PackedNET.1168
- Packed malware.
- HTML.FishForm.294
- A web page spread via phishing emails. It is a bogus authorization page that mimics well-known websites. The credentials a user enters on the page are sent to the attacker.
Encryption ransomware
User requests to decrypt files affected by encoders decreased by almost 10.72% compared to January.
Trojan.Encoder.26996 — 23.63%Trojan.Encoder.3953 — 11.99%Trojan.Encoder.567 — 3.77%Trojan.Encoder.11539 — 3.77%- Trojan.Encoder.30356 — 3.42%
Dr.Web Security Space for Windows protects against encryption ransomware
Dangerous websites
In February, Doctor Web’s analysts noticed increased fraud banking sites disguised as official online delivery services. For each user, a unique page with confidential data is created. The page asks the user to enter bank card details for payment.
The snapshot shows an example of a website like this. Here are the fake departure numbers and payment status.
Malicious and unwanted programs for mobile devices
According to the detection statistics of Dr.Web anti-virus products for Android, in February, the
Among the threats identified by Doctor Web specialists in the Google Play catalog are new fake programs from the
The following February events related to mobile malware are the most noteworthy:
- Growth in activity of trojan
Android.Spy.4498 ; - High activity of adware trojans
- Emergence of new malicious applications on Google Play
Find out more about malicious and unwanted programs for mobile devices in our special overview.
Find out more with Dr.Web
31.03 Doctor Web’s February 2022 review of virus activity on mobile devices
March 31, 2022
In February, the
All sorts of fake apps from the
PRINCIPAL TRENDS IN JANUARY
- The Android.Spy.4498 trojan remains the leader among the threats detected on protected Android devices
- Adware trojans is still an active threat
- The appearance of new threats on Google Play
According to statistics collected by Dr.Web for Android
Android.Spy.4498 - A trojan that steals the contents of other apps’ notifications. It can also download apps and offer users to install them, and can also display various dialog boxes.
Android.HiddenAds .3018Android.HiddenAds .624.origin- Trojans designed to display obnoxious ads. Trojans of this family are often distributed as popular and harmless applications. In some cases, other malware can install them in the system directory. When these trojans infect Android devices, they typically conceal their presence from the user. For example, they “hide” their icons from the home screen menu.
Android.MobiDash .6932- A trojan that displays obnoxious ads. It is a special software module that the developers incorporate into applications.
Android.DownLoader .475.origin- Trojan that downloads other malware and unwanted software. It can be hidden inside seemingly harmless apps found on Google Play or malicious websites.
Program.FakeAntiVirus .1- The detection name for adware programs that imitate anti-virus software. These apps inform users of non-existing threats, mislead them, and demand they purchase the software’s full version.
Program.SecretVideoRecorder .1.originProgram.SecretVideoRecorder .2.origin- The detection name for various modifications of an application designed to record videos and take photos in the background using Android devices’ built-in cameras. It can operate covertly, allowing disabling notifications about ongoing recordings. It also allows replacing the app’s icon and name with fake ones. This functionality makes this software potentially dangerous.
Program.KeyStroke.3 - An Android application capable of intercepting keystrokes. Some modifications of this software can also track incoming SMS, control call history, and record phone calls.
- Program.WapSniff.1.origin
- An Android program designed to intercept WhatsApp messages.
Tool.SilentInstaller .14.originTool.SilentInstaller .6.originTool.SilentInstaller .13.originTool.SilentInstaller .7.origin- Riskware platforms that allow applications to launch APK files without installation. They create a virtual runtime environment that does not affect the main operating system.
Tool.DdosId.1.origin - An Android app designed for stability and stress-testing of networks, web servers, and websites. It is not malicious itself, but can be used to perform DoS (Denial-of-Service) attacks. That is why Dr.Web detects it as a potentially dangerous tool.
Program modules incorporated into Android applications. These are designed to display obnoxious ads on Android devices. Depending on their family and modifications, they can display full-screen ads and block other apps’ windows, show various notifications, create shortcuts, and load websites.
Adware.AdPush .36.originAdware.SspSdk .1.origin- Adware.Myteam.2.origin
Adware.Adpush .16510Adware.Adpush .6547
Threats on Google Play
Throughout February, Doctor Web’s specialists discovered more fake apps on Google Play. Malicious actors use these in various fraudulent schemes. Some of them, like the
In addition,
Our malware analysts have also uncovered an
To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web for Android.
Your Android needs protection.
Use Dr.Web
- The first Russian anti-virus for Android
- Over 140 million downloads—just from Google Play
- Available free of charge for users of Dr.Web home products
March 31, 2022
At the same time, threat actors continue distributing various malicious apps through Google Play. For example, our specialists discovered yet another fake apps from the
31.03 An increase in malware activity and other events of February 2022
March 31, 2022
31.03 Doctor Web discontinues support for Dr.Web Security Space for BlackBerry
March 31, 2022
Notwithstanding that, Doctor Web would like to remind all users that its product line does include a reliable anti-virus app for mobile devices—Dr.Web Security Space for Android.
March 31, 2022
Specifically, adjustments have been made to the module's preventive protection routines to avoid potential false positives.
The update will be downloaded and installed automatically.
29.03 Updates made to DrWebBot 2.1 for Telegram and DrWebBot 1.0 for VK
March 29, 2022
Specifically, it addresses a defect that might increase link scanning time and cause a delayed response to users' commands in Telegram.
The key component DrWebBot Checker, which facilitates file and link scanning, has been made current.
To use DrWebBot, find the Telegram account @DrWebBot (or go to telegram.me/drwebbot) and send it a file or a link. The bot will check it for viruses and report on the results.
To start using DrWebBot for VK, open this link. To configure the bot, use the ‘/settings’ command. Here, you can select the language for communicating with the bot and how the bot should notify you about link and file scanning results.
March 29, 2022
Specifically, it enhances the applications' encryption ransomware detection capabilities.
The update will be downloaded and installed automatically.
24.03 Study of an APT attack on a telecommunications company in Kazakhstan
March 24, 2022
Because of the hackers' mistake, we got a unique opportunity to study the lists of victims and find out what backdoor management tools were used. Based on the acquired information, we concluded that the hacker group specialized in compromising the Asian companies’ mail servers with Microsoft Exchange software installed. That said, we also found victims from other countries, including:
- Egyptian government agency
- Italian airport
- USA marketing company
- Canadian transport and woodworking companies
The logs collected along with the command and control server included victims infected from August 2021 to early November of the same year. Yet, in some cases, BackDoor.Whitebird.30 was installed not only on the server running Microsoft Exchange, but on domain controllers, too. Based on the tools, methods, and infrastructure used, we conclude that the Calypso APT hacker group is behind the attack.
Remote Rover
Command and control server for BackDoor.Whitebird.30 calls Remote Rover. It allows hackers to remotely launch applications, update the backdoor configuration, download and upload files. Besides that, you can use a command shell via Remote Rover. This is what the control server interface looks like:
Remote Rover came with a configuration file CFG\default.ini with the following content:
E:\个人专用\自主研发远程\2021\RR\配置备份\telecom.cfg OneClock.exeIf you translate the content from Chinese into English, you can get this path:
E:\personal use\Independent research and development remote\2021\RR\Configuration backup\telecom.cfgFor a detailed description of the malware used and how it works, see the the PDF-version of the study or Dr.Web Virus Library.
BackDoor.Siggen2.3622 BackDoor.PlugX.93 BackDoor.Whitebird.30 Trojan.Loader.891 Trojan.Loader.896 Trojan.Uacbypass.21 Trojan.DownLoader43.44599
Conclusion
During the investigation of the targeted attack, Doctor Web virus analysts found and described several backdoors and trojans. It’s worth noting that the attackers managed to remain undetected for as long as other targeted attack incidents. A hacker group compromised a telecommunications company's network more than two years ago.
Doctor Web specialists recommend regularly checking network resources’ efficiency and timely fixing failures that may indicate the presence of malware on the network. Data compromise is one of targeted attacks’ main dangers, but the long-term presence of intruders is also a cause for concern. Such development allows them to control the organization’s work for many years and gain access to especially sensitive information at the proper time. If you suspect malicious activity in the corporate network, the best option is to contact the Doctor Web virus laboratory for qualified help. Dr.Web FixIt! helps you to detect malware on servers and workstations. Taking adequate measures timely will minimize the damage and prevent the serious consequences of targeted attacks.
March 24, 2022
Changes made to Dr.Web Anti-rootkit API:
- Enhanced encryption ransomware detection;
- Improved module stability;
- Optimised application performance.
Changes made to Dr.Web Dr.Web Thunderstorm Cloud Client SDK:
- Improved module stability;
- Improved application security.
The update will be downloaded and installed automatically.
23.03 Enhanced threat detection and other changes in the updated Dr.Web CureIt!
March 23, 2022
Specifically, it addresses an anti-rootkit module issue that might cause a system crash while the boot sectors were being scanned.
Furthermore, adjustments have been made to Dr.Web Virus-Finding Engine to improve its stability and threat detection capabilities. Recall that Dr.Web Virus Finding Engine is a core anti-virus security component that facilitates the detection and neutralisation of malware and analyses the suspicious behaviour of applications in the protected system.
The trusted applications database has also been updated.
