June 19, 2019

Researchers at Doctor Web’s virus laboratory have studied a new type of downloader trojan. The malware is written in JavaScript and uses Node.js to launch itself within a system. The malicious software is distributed through websites with cheats for popular video games and received the name Trojan.MonsterInstall.

Yandex has submitted a rare sample of the Node.js trojan for research to Doctor Web’s virus laboratory. This malware was distributed via websites with video game cheats and has several versions and components.

When users attempt to download a cheat they download a password-protected 7zip archive to their computers. Inside there is an executable file; which upon launch, will download the requested cheats alongside other trojan’s components.

Upon launching on the victim's device, Trojan.MonsterInstall downloads and installs all the components necessary for its work, gathers information about the system its installed on, and sends it to the developer’s server. After receiving a response, it installs itself in the autorun and starts mining the TurtleCoin cryptocurrency.

Developers of this malware own several websites with game cheats, which they use to spread the malware, but they also infect other similar websites with the same trojan. According to SimilarWeb’s statistics, users browse these websites at least 127,400 times per month.

Websites owned by the malware developers:

• румайнкрафт[.]рф;
• clearcheats[.]ru;
• mmotalks[.]com;
• minecraft-chiter[.]ru;
• torrent-igri[.]com;
• worldcodes[.]ru;
• cheatfiles[.]ru.

Moreover, some cheats from the proplaying[.]ru website turned out to be infected as well.

Doctor Web’s experts recommend that users timely update the anti-virus and avoid downloading suspicious software.

We would also like to thank specialists from Yandex for providing the sample and additional information about the trojan’s points of distribution.

More about this Trojan

Indicators of compromise

#JavaScript #games #mining

June 14, 2019

Doctor Web experts discovered the Android.FakeApp.174 trojan that uses Google Chrome to load questionable websites that subscribe users to advertising notifications. Notifications pop up even if the browser is closed and may be mistaken for system notifications. Not only do they bother users of Android devices, but may also lead to losing money and confidential information.

The Web Push technology allows websites to send notifications even when the webpage is not open in the browser if the user agrees to that. When it comes to harmless websites, this feature can be useful and convenient. For example, social media can notify the users on new messages, and news agencies can spread information about new articles. However, cybercriminals and unscrupulous advertisers can abuse this technology by spreading advertising and fraudulent notifications that come from hacked or malicious websites.

PC, laptop browsers, as well as mobile devices support these notifications. Typically, the victim gets to a questionable spamming website by clicking a unique link or an advertising banner. Android.FakeApp.174 is one of the first trojans that helps attackers increase the number of visitors of these websites and subscribe users of smartphones and tablets to such notifications.

Android.FakeApp.174 is distributed under the guise of useful programs; for example, official software of well-known brands. In early June, Doctor Web malware analysts detected two of the trojan modifications on Google Play. After contacting Google, the malware was removed, yet over 1,100 users have already downloaded malicious apps.

When launched, the trojan loads a website in Google Chrome. The website is specified in the trojan settings. According to its parameters, it performs several redirects to pages of various affiliated programs. Each of them prompts the user to allow notifications. To be convincing, they inform the victim that it is done for verification purposes (for example, that the user is not a robot), or simply hint on which dialog button to click. Thus, they increase the number of successful subscriptions. See examples of such queries in the images below:

After activating the subscription, websites start sending the user numerous notifications of questionable content. Notifications are displayed in the status bar of the operating system even if the browser is closed and the trojan has already been removed. The contents can be anything, from false notifications about cash bonuses or transfers or new messages on social media to advertisements of horoscopes, casinos, goods and services, even various “news”.

Many of them look like real notifications of actual online services and applications installed on the device. For example, they display the logo of a bank, a dating website, a news agency, or a social network, as well as an eye-catching banner. Owners of Android devices can receive dozens of such spam messages per day.

Although these notifications also indicate the address of the website they come from, an unskilled user may fail to notice it, or not give it much thought. See below the examples of fraudulent notifications:

Having clicked a notification, the user is redirected to a website with questionable content. This may include advertising of casinos, betting shops, various Google Play applications, discounts and coupons, fake online polls and prize drawings, aggregators of partner links, and other online resources that vary depending on the country of residence of the user. See examples of such websites below:

Many of these resources are involved in well-known fraudulent schemes for stealing funds, but attackers can also launch an attack to steal confidential data at any time. For example, by sending an “important” notification via the browser on behalf of a bank or a social network. Potential victims can think the fake notification is real and tap it only to be redirected to a phishing site, where they will be prompted to indicate their name, credentials, email addresses, bank card numbers, and other confidential information.

Doctor Web experts believe that cybercriminals will make more active use of this method to promote questionable services, so mobile users should be careful while visiting websites and not subscribe to notifications if the website is unfamiliar or suspicious. If you are already subscribed to spam notifications, perform the following steps:

• Go to the Google Chrome settings, select “Site Settings” and then “Notifications”;
• On the list of websites with notifications, find the website address, tap it, and select “Clear & reset”.

Dr.Web for Android successfully detects and removes all known modifications of Android.FakeApp.174, so the trojan does not pose any threat to our users.

Read more about Android.FakeApp.174

Your Android needs protection.

Use Dr.Web

• The first Russian anti-virus for Android
• Over 140 million downloads—just from Google Play
• Available free of charge for users of Dr.Web home products

Free download

June 5, 2019

Russian anti-virus company Doctor Web has updated SpIDer Agent for Windows (12.0.6.05161), Dr.Web Scanner SE (12.0.4.04020), the Dr.Web Shell Extension module (12.0.4.04040), Dr.Web Scanning Engine (12.0.4.201904220) and Lua-script for dwl (12.0.6.04110) in Dr.Web Security Space 12.0, Dr.Web Anti-virus 12.0 and Dr.Web Anti-virus 12.0 for Windows Servers. Furthermore, Dr.Web Security Space 12.0 and Dr.Web Anti-virus 12.0 have also had Dr.Web Net filtering Service (12.0.4.04261) and Dr.Web for Outlook Plugin (12.0.4.201905281) updated. The update delivers new features and addresses identified issues.

Changes made to SpIDer Agent for Windows:

• Minor UI defects have been corrected;
• Problems with the file dialogue box have been eliminated;
• Now Dr.Web checks if system restart permissions are available under the current user account before the “Restart now” prompt appears on the notification bar;
• The new UI language file format is now supported.

Changes made to Dr.Web Scanner SE:

• UI elements in the plugin settings window now display properly on high-resolution screens;
• More accurate information about scanning progress is now displayed;
• The new UI language file format is now supported.

Changes made to the Dr.Web Net filtering Service:

• The new UI language file format is now supported.

Changes made to Dr.Web for Outlook Plugin:

• Issues involving Polish UI texts have been resolved;
• Text file previews generated during the malicious attachment neutralisation process now display correctly;
• The correct number of ignored objects is now shown in the statistics;
• An issue that could interrupt email scanning if MS Outlook was being started from the context menu has been resolved;
• The new UI language file format is now supported.

Furthermore, the UI language file format (LNG instead of DWL) and the files' catalogue location have been changed.

The update will be performed automatically; however, a system reboot will be required.

June 4, 2019

Russian anti-virus company Doctor Web has updated the amsi-client module (12.0.3.201906040) in Dr.Web Security Space, Dr.Web Anti-virus and Dr.Web Anti-virus for Windows Servers 11.5 and 12.0, and Dr.Web Enterprise Security Suite 11.0. The update delivers a fix for an identified problem.

Specifically, it eliminates a problem preventing War Thunder from launching under Windows 10 1903 Redstone 6.

The update will be downloaded and installed automatically.

June 4, 2019

Russian anti-virus company Doctor Web has released Dr.Web 12.0.4 for Microsoft Exchange Server. The update delivers upgrades for the anti-spam module.

A new module option lets users specify additional types of objects that are to be marked as spam. Those include mailing lists, advertisements, suspected spear-phishing emails, social media messages, and transaction notifications. The option can be found in the «Mark as spam» section.

More information about the upgrade process, as well as the system requirements for Dr.Web 12.0.4 for Microsoft Exchange Server, can be found in the release notes.

June 3, 2019

Doctor Web presents its May 2019 virus activity review. A new malware threatens users of the macOS operating system. Another dangerous trojan capable of stealing personal data and receiving commands from the C&C server was found spreading via email. Additionally, the number of dangerous websites has plummeted, while the number of unique threats has increased. For more information about these and other events, have a look at our review.

Go to the review

June 3, 2019

In May, Dr.Web’s statistics registered a 1.49% increase in the number of unique threats compared to April; while the number of all detected threats increased by 14.51%. Malware and unwanted programs statistics show the prevalence of adware and installers. E-mail traffic is still dominated by malware that uses the vulnerabilities of Microsoft Office programs, but in May we also registered an increase in the spread of the dangerous trojan, Trojan.Fbng.8 (FormBook).

Threat of the month

In May, Doctor Web’s researchers warned about unique malware for the macOS operating system–Mac.BackDoor.Siggen.20. It allows attackers to download and execute malicious python code on the victim’s device. Additionally, websites that spread the malware also infect their visitors with a Windows spyware trojan, BackDoor.Wirenet.517 (NetWire). The latter is a well-known RAT trojan used by hackers for controlling a victim’s PC remotely. It has several malicious functions, including using the camera and microphone on the victim’s device. The RAT trojan also has a valid digital signature.

More about this threat

According to Doctor Web’s statistics servers

Threats of the month:

Adware.Softobase.12

Installation adware that spreads outdated software and changes the browser’s settings.

Adware.Ubar.13

A torrent client designed to install unwanted programs on a user’s device.

Trojan.InstallCore.3553

Another well-known adware installer. It shows ads and installs additional programs without the user’s permission.

Trojan.Winlock.14244

A ransomware trojan that blocks or limits a user’s access to the Windows operating system and its functionalities. In order to unlock the system, a user must transfer money to the cybercriminals.

Trojan.Starter.7394

A trojan designed to launch other malicious software on a victim’s device.

Statistics for malware discovered in email traffic

Threats of the month:

W97M.DownLoader.2938

A family of downloader trojans that exploit vulnerabilities in Microsoft Office applications. Designed to download other malware onto a compromised computer.

Exploit.ShellCode.69

Another malicious Microsoft Office Word document. This one uses vulnerability called CVE-2017-11882.

Exploit.Rtf.CVE2012-0158

Another malicious Microsoft Office Word document. This one uses a vulnerability called CVE2012-0158.

Exploit.Rtf.435

A malicious Microsoft Office document that uses the CVE-2017-11882 vulnerability to download the Trojan.Fbng.8 (FormBook) trojan on users’ devices.

Trojan.PWS.Stealer.19347

A family of trojans designed to steal passwords and other confidential information stored on an infected computer.

Increased malware activity:

Trojan.Inject3.15480

Trojan also known as Trojan.Fbng.8 (FormBook). The Trojan also known as FormBook. It’s designed to steal private data, but can also receive commands from the developer’s server.

Encryption ransomware

In May, victims of the following encryption ransomware most frequently contacted Doctor Web’s technical support service:

• Trojan.Encoder.18000 — 15.38%
• Trojan.Encoder.858 — 9.89%
• Trojan.Encoder.11464 — 5.49%
• Trojan.Encoder.25574 — 5.49%
• Trojan.Encoder.11539 — 5.27%
• Trojan.Archivelock — 5.05%
• Trojan.Encoder.567 — 1.98%

Dangerous websites

During May 2019, Doctor Web added 223,952 URLs to the Dr. Web database of non-recommended sites.

Malicious and unwanted programs for mobile devices

In May, malware developers again distributed various malicious programs through the Google Play service. Researchers at Doctor Web discovered a trojan, Android.HiddenAds.1396, which showed advertising banners and blocked the interface of other apps and the operating system. Later the same month, the researchers discovered Android.SmsSpy.10206 and Android.SmsSpy.10263 spyware trojans, which were used to steal incoming SMS and send them to the malware developers.

The most noticeable May event related to mobile malware:

• The spread of new malware on Google Play;

Find out more about malicious and unwanted programs for mobile devices in our special overview.

June 3, 2019

Doctor Web presents its May 2019 overview of malware for mobile devices. This month, several new malicious applications were detected on Google Play. Dangerous Android spyware that intercepted text messages and a trojan that constantly displayed banner advertising were among the most noteworthy. Read more about these and other threats in our review.

June 3, 2019

In the past month, Android devices were once again targeted by malicious programs distributed via Google Play. The list contained the Android.HiddenAds adware trojans as well as the Android.SmsSpy spyware that intercepted text messages.

Mobile threat of the month

The malware detected in May included spyware trojans from the Android.SmsSpy family, Android.SmsSpy.10206 and Android.SmsSpy.10263. They were distributed via Google Play under the guise of banking software.

After installation and launch, these malicious programs attempted to assign themselves as the default SMS manager, requesting permission from the user. If permission was granted, Android.SmsSpy.10206 and Android.SmsSpy.10263 began intercepting all incoming text messages and transferring them to the attacker's server.

Specific features of the malware:

• it was intended for Spanish-speaking users;
• it was based on the open source SMSdroid software with an added trojan function.

According to statistics collected by Dr.Web for Android

Android.Backdoor.682.origin

A trojan that executes cybercriminals’ commands and helps them control infected mobile devices.

Android.RemoteCode.4411

Android.RemoteCode.197.origin

Malicious applications designed to download and execute arbitrary code.

Android.HiddenAds.261.origin

Android.HiddenAds.1102

Trojans designed to display intrusive advertisements. They are distributed as popular applications by other malicious programs; which in some cases, covertly install them in the system catalog.

Adware.Zeus.1

Adware.Jiubang.2

Adware.AdPush.33.origin

Adware.Toofan.1.origin

Unwanted program modules that embed themselves into Android applications and display obnoxious ads on mobile devices.

Tool.VirtualApk.1.origin

A riskware platform that allows applications to launch APK files without installing them.

Adware trojan

In early May, Doctor Web analysts discovered the Android.HiddenAds.1396 trojan on Google Play, which was distributed as an audio player.

The malicious program did allow users to listen to music, but then hid its icon after the first launch, preventing users from launching it again. Android.HiddenAds.1396 displayed obnoxious advertising banners that made it difficult to work with the infected mobile device.

New malicious and unwanted applications keep appearing on Google Play. Doctor Web recommends Android device owners to install Dr.Web for Android to protect themselves.

Your Android needs protection.

Use Dr.Web

• The first Russian anti-virus for Android
• Over 140 million downloads—just from Google Play
• Available free of charge for users of Dr.Web home products

Free download

May 14, 2019

Doctor Web’s researchers have found unique malware for the macOS operating system. It allows attackers to download and execute malicious python code on the victim’s device. Additionally, websites that spread the malware also infect their visitors with a Windows spyware trojan.

Our researchers discovered the new threat on April 29. This malware was named Mac.BackDoor.Siggen.20, and turned out to be a backdoor that allows hackers to upload malicious code from a remote server and execute it.

Mac.BackDoor.Siggen.20 gets on victims’ devices via websites controlled by its developers. One of the resources is disguised as a personal website with a nonexistent person’s portfolio. The other is disguised as the WhatsApp messenger official website.

When users open one of those websites, the embedded code detects the visitor’s operating system and depending on that uploads either the backdoor or a trojan. If a visitor uses macOS, their device gets infected with Mac.BackDoor.Siggen.20, and BackDoor.Wirenet.517 is downloaded on Windows devices. The latter is a well-known RAT trojan used by hackers for controlling a victim’s PC remotely. It has several malicious functions, including using the camera and microphone on the victim’s device. Additionally, the RAT trojan has a valid digital signature.

According to our information, the website spreading Mac.BackDoor.Siggen.20 under the cover of the WhatsApp messenger, was visited by about 300 visitors with unique IP addresses. The malicious resource has been active since March 24, 2019 and has not yet been used by hackers for large-scale campaigns. Nevertheless, Doctor Web’s researchers recommend staying cautious and keep the anti-virus updated. At the moment, all Mac.BackDoor.Siggen.20 components have only been detected successfully by Dr.Web anti-virus.

More about this threat

May 13, 2019

Russian anti-virus company Doctor Web has updated Lua-script for help (11.5.0.04250), Dr.Web Control Service (11.5.16.04300), and the Dr.Web Enterprise Agent for Windows setup (11.5.8.04250) module in the Dr.Web Enterprise Security Suite 11.0 agent software. The update resolves known software issues.

Changes made to Lua-script for help:

• The script version has been updated.

Changes made to Dr.Web Control Service:

• An issue preventing the software from updating in mobile mode has been resolved.

Changes made to Dr.Web Enterprise Agent for Windows setup:

• The update addresses an installation issue that could occur if a current user account name contained more than 17 ideograms.

The update will be downloaded and installed automatically.

May 6, 2019

Doctor Web presents its April 2019 virus activity review. A popular website offering free video editing software also distributed a banking trojan and stealer. Newsletter subscription forms from well-known companies were used to spread links to a phishing website. Malware and ransomware spreading activity has declined, while the number of dangerous websites increased. For more information about these and other events, have a look at our review.

May 6, 2019

In April, Dr.Web’s statistics showed a 39.44% decrease in the number of unique threats compared to March; while the number of all detected threats decreased by 14.96%. E-mail traffic is still dominated by malware that uses the vulnerabilities of Microsoft Office programs. The previous month’s malware and unwanted programs trend also continues. The malicious browser extensions, unwanted programs and adware account for the majority of detected threats.

The number of non-recommended websites increased by 28.04%. One such website was used for spreading a banking trojan and stealer, along with the video and sound editing software, which we reported at the beginning of the month. Additionally, Doctor Web’s researchers warned about the phishing newsletter sent from official e-mails of large international companies.

Threat of the month

Doctor Web researchers warned users about a compromised, popular website, which distributes video and sound editing software. Hackers hijacked download links on the website causing visitors to download the dangerous banking trojan, Win32.Bolik.2, and the Trojan.PWS.Stealer (KPOT) stealer, along with the editing software. Trojans of this family are designed to perform web injections, intercept traffic, log keys and steal information from different bank-client systems. Additionally, the attackers later changed the Win32.Bolik.2 trojan to another malware, the Trojan.PWS.Stealer (KPOT Stealer). This trojan steals information from browsers, Microsoft accounts, several messengers and some other programs.

More about this threat

According to Doctor Web’s statistics servers

Threats of the month:

Adware.Softobase.12

Installation adware that spreads outdated software and changes the browser’s settings.

Adware.Ubar.13

A torrent client designed to install unwanted programs on a user’s device.

Trojan.Starter.7394

Trojan designed for launching other malicious software on a victim’s device.

Adware.Downware.19283

The sort of adware that is usually distributed as an installer for pirated software. Upon installation, it changes a browser’s settings and may install other software without asking for the user’s permission.

Statistics for malware discovered in email traffic

Exploit.ShellCode.69

A modified Microsoft Office document. It exploits the CVE-2017-11882 vulnerability in order to run malicious code.

Exploit.Rtf.CVE2012-0158

Another malicious Microsoft Office Word document. This one uses a vulnerability called CVE2012-0158.

JS.DownLoader.1225

A variety of malicious code written in JavaScript and designed to download and install other malware on a computer.

Trojan.Encoder.26375

A malicious program from the encryption ransomware family. This trojan encrypts files and demands a ransom for data decryption.

W97M.DownLoader.2938

A family of downloader Trojans that exploit vulnerabilities in office applications. Designed to download other malware onto a compromised computer.

Encryption ransomware

In April, Doctor Web’s technical support was most frequently contacted by victims of the following encryption ransomware:

• Trojan.Encoder.858 — 17.95%
• Trojan.Encoder.18000 — 14.65%
• Trojan.Encoder.11464 — 7.69%
• Trojan.Archivelock — 5.49%
• Trojan.Encoder.567 — 3.85%
• Trojan.Encoder.11539 — 3.85%
• Trojan.Encoder.25574 — 2.75%

Dangerous websites

During April 2019, Doctor Web added 345,999 URLs to the Dr.Web database of non-recommended websites.

Malicious and unwanted programs for mobile devices

In April, Doctor Web reported the dangerous trojan, Android.InfectionAds.1, which exploited several critical vulnerabilities in OS Android. Using them, it could infect apk files, as well as install and delete programs without a user’s permission.

Also during April, new malware such as trojan downloaders and clickers were discovered in the Google Play catalogue, as well as new credential stealers for Instagram, called Android.PWS.Instagram.4 and Android.PWS.Instagram.5.

Additionally, new banking trojans threatened Android smartphone and tablet users. Among them were new versions of the Android.Banker.180.origin trojans and other malware.

Among the most noticeable April events related to mobile malware were:

• the spread of malicious programs on Google Play;
• the distribution of banking trojans.

April 30, 2019

Doctor Web presents its April 2019 overview of malware for mobile devices. Over the past month, our virus analysts have reported on a dangerous trojan that exploits critical vulnerabilities of Android OS to infect programs, as well as to install and uninstall applications independently from users. Trojans detected on Google Play once again threatened Android mobile device owners. Read more about these and other events in our review.

April 30, 2019

In April Doctor Web reported on the Android.InfectionAds.1 trojan that exploited several critical Android OS vulnerabilities. These vulnerabilities allowed the trojan to infect programs, as well as install and uninstall software independently from users. In addition, virus analysts found new modifications of the banking trojan Android.Banker.180.origin designed to steal money from clients of Japanese credit organizations. Other malicious programs distributed via Google Play were detected. The downloader trojans Android.DownLoader that downloaded banking trojans on mobile devices, clickers from the Android.Click family, the stealers Android.PWS.Instagram that stole Instagram users’ logins and passwords. Aside from that, the Dr.Web virus database was updated with new entries to detect additional malware.

Mobile threat of the month

In early April Doctor Web reported on a dangerous trojan, Android.InfectionAds.1. Hackers embed it into initially benign programs and use popular third-party Android stores for its distribution. This trojan exploits critical vulnerabilities of Android OS to infect APK files (the CVE-2017-13156 vulnerability), as well as to install and uninstall programs (the CVE-2017-13315 vulnerability). Android.InfectionAds.1 also shows annoying banner ads, making it difficult to work with infected devices. See detailed information about the trojan in our virus library.

According to statistics collected by Dr.Web for Android

Android.Backdoor.682.origin

A trojan that executes cybercriminals’ commands and helps them control infected mobile devices.

Android.HiddenAds.1102

Android.HiddenAds.261.origin

Trojans designed to display intrusive advertisements. They are distributed as popular applications by other malicious programs; which in some cases, covertly install them in the system catalog.

Android.RemoteCode.4411

A malicious application designed to download and execute arbitrary code.

Android.DownLoader.812.origin

A Trojan that downloads other malicious applications.

Adware.Zeus.1

Adware.AdPush.33.origin

Adware.Toofan.1.origin

Adware.Jiubang.2

Unwanted program modules that incorporate themselves into Android applications and display obnoxious ads on mobile devices.

Tool.VirtualApk.1.origin

A riskware platform that allows applications to launch APK files without installing them.

Banking trojans for Android

Over the past month, banking trojans threatened users of Android devices. In late April Doctor Web virus analysts detected new modifications of the Android.Banker.180.origin malware. These modifications were distributed under the guise of package tracking apps (for example, an app titled “佐川急便”) targeting Japanese users. Once installed, these trojans delete their own icons and hide themselves from users.

These modifications of Android.Banker.180.origin are controlled via specially created pages in the Russian social network, Vkontakte. On such pages, the encrypted address of one of the trojan command and control servers is specified in the “Activities” field. The malware looks for this field using a regular expression, decrypts the address, and connects to the server.

These trojan modifications are able to intercept and send SMS on hackers’ command, show phishing windows, make calls, and listen to the surrounding environment using the device’s built-in microphone. On top of that, they can control smartphones and tablets; for example, they can turn on Wi-Fi, connect to the Internet via a mobile network, block the screen, and so on.

In addition, new downloaders from the Android.DownLoader family, such as Android.DownLoader.4303, downloaded Android bankers on mobile devices. They were distributed under the guise of financial applications.

Trojans on Google Play

Aside from downloaders, other trojans, such as Android.Click.303.origin and Android.Click.304.origin were detected on Google Play. They were distributed under the guise of benign applications such as games and programs for watching TV channels. Doctor Web virus analysts detected 36 of theses trojans. More than 151,000 people installed them.

This malicious software opens hidden activity with several WebView elements. A website is loaded on one of them to get commands. Hackers use other WebViews to load different JavaScript and specified websites where they simulate user actions. On these websites, they click links and banner ads to drive up hit and click counters. Hackers can also subscribe mobile device owners to paid services by clicking on special buttons if service providers support the Wap-Click technology of fast subscription. To make themselves more difficult to delete, trojans hide their icons from the operating system’s main screen.

In late April, new entries were added to the Dr.Web virus database to detect the trojans Android.PWS.Instagram.4 and Android.PWS.Instagram.5. Hackers guised them as useful programs for Instagram users, for instance, those intended to drive up the number of likes or followers, as well as to increase the account security. Once launched, trojans asked victims to enter their login and password and then sent that data to the hackers’ server.

Other threats

The Android.FakeApp.2.origin trojan was one of the malicious apps that threatened Android smartphone and tablet owners in April. It was hidden in a program that allegedly provided free 25 GB of Internet traffic to Indian users of the Jio service provider.

To distribute itself among a greater number of users, the trojan sent SMS with a link to the download page of its copy to all contacts of the infected device. The main goal of Android.FakeApp.2.origin was showing banner ads.

Users of Android devices are threatened by different trojan applications that are distributed not only via malicious websites, but also via the official Google Play store. To protect smartphones and tablets, we recommend that you install Dr.Web for Android.

Your Android needs protection.

Use Dr.Web

• The first Russian anti-virus for Android
• Over 140 million downloads—just from Google Play
• Available free of charge for users of Dr.Web home products

Free download

April 26, 2019

Russian anti-virus company Doctor Web has updated its Dr.Web Security Space for Android to version 12.3.3 and Dr.Web Anti-virus Light for Android to version 11.2.3. The update delivers a fix for an identified problem.

An issue resulting in the possible abnormal termination of both products has been corrected.

If you downloaded your Dr.Web application from Google Play, the update will be downloaded and installed automatically. If you’ve disabled automatic updating on your device, go to Google Play, select Dr.Web Security Space, Dr.Web Security Space Life or Dr.Web Anti-virus Light on the application list, and click "Update”.

To update via the Doctor Web site, you need to download a new distribution file. If you’ve enabled the “New app version” option in the settings, a notification will be displayed whenever the virus databases are updated. You can start the download directly from this dialogue box.

April 24, 2019

Doctor Web has updated the Dr.Web Net filtering Service (12.0.3.04171) in the products Dr.Web Security Space 12.0 and Dr.Web Anti-virus 12.0. The update ensures the anti-virus is compatible with third-party software.

Changes were made to Dr.Web Net filtering Service in order to make the products compatible with i-FILTER on computers running Windows 8 and later versions.

The update will be performed automatically; however, a system reboot will be required.

April 23, 2019

Russian anti-virus company Doctor Web has updated the drweb-antispam module in Dr.Web Anti-virus for Linux and Dr.Web Anti-virus for Unix mail Servers 11.0 (module version 11.0.7-1904101611) and 11.1 (module version 11.1.2-1904111807). In addition, the drweb-configd module (11.1.2-1904172039) has been updated in Dr.Web 11.0 for Linux. The update resolves known software issues.

Specifically, it eliminates a drweb-antispam issue preventing the anti-spam module from using a freshly downloaded library after an update was downloaded.

Also resolved was a drweb-configd issue preventing anti-spam filtering from taking place when default settings were in use.

The update is performed via the Dr.Web repository.

#update #Dr.Web #UNIX #Linux

April 18, 2019

Russian anti-virus company Doctor Web has updated the Dr.Web Control Service (12.0.8.03281) module and the Dr.Web Updater (12.0.9.04050) module, as well as Lua-script for av-engine (12.0.6.04170) and Lua-script for main (12.0.6.03130), in the products Dr.Web Security Space 12.0, Dr.Web Anti-virus 12.0 and Dr.Web 12.0 for Windows Servers. The Dr.Web Security Space, Anti-virus for Windows setup (12.0.10.03260) module has been updated in Dr.Web Security Space and Dr.Web Anti-virus. The update delivers minor upgrades and fixes of known defects.

Changes made to Dr.Web Control Service:

• The module has been updated to be compatible with the upcoming Windows 10 Redstone 6 release.

Changes made to Dr.Web Updater:

• An updating issue involving the update mirror directories on FAT32 partitions has been resolved.

Changes made to Dr.Web Security Space, Anti-virus for Windows setup:

• The UI elements are now displayed correctly in the setup window.

The update will be downloaded and installed automatically.

April 15, 2019

Russian anti-virus company Doctor Web has updated Dr.Web Security Space for Android on Google Play to version 12.3.2. The update makes the application compliant with recent changes in Google's permission policy and delivers feature upgrades and fixes of known defects.

Enhanced threat detection:

• The ability to detect the EvilParcel vulnerability;
• An improved ability to detect signs of infection in previously installed applications;
• The added ability to detect malicious applications packed with Bangcle, Sechell, and the latest version of Tencent;
• A fix that ensures uninterrupted anti-virus scanning.

Changes affecting the application’s UI and features:

• The Call and SMS Filter and Anti-theft components have been disabled;
• The URL shortening feature is no longer available;

The Call and SMS Filter and Anti-theft components have been disabled to comply with Google Play policy changes. Under the new permission policy, anyone who has an anti-virus installed on their Android device can no longer access features related to SMS data.

The Dr.Web software will be updated automatically under Android 4.4 and later. If automatic updates are disabled on your device, go to Google Play, select Dr.Web Security Space on the application list, and tap "Update."

To update via the Doctor Web site, you need to download a new distribution file. If the “New app version” option has been enabled in the settings, a notification will be displayed whenever the virus databases are updated. You can start the download directly from this dialogue box.

April 12, 2019

Doctor Web virus analysts have investigated the Android.InfectionAds.1 trojan, which exploits several vulnerabilities in the Android OS. It uses them to infect software, as well as install and uninstall applications independently from the user. Another purpose of Android.InfectionAds.1 is to display ads.

The attackers embed the trojan in initially harmless software and then distribute the modified copies via popular third-party Android stores, such as Nine Store and Apkpure. Our experts detected Android.InfectionAds.1 in games and software such as HD Camera, ORG 2018_19\Tabla Piano Guitar Robab Guitar, Euro Farming Simulator 2018, and Touch on Girls. Some of them were installed by at least several thousand mobile device owners. However, the number of infected applications and affected users may be much greater.

When a user launches a program containing a trojan, it extracts auxiliary modules from file resources to decrypt and launch them as well. One of them is designed to display obnoxious ads, while others infect applications and automatically install software.

Android.InfectionAds.1 overlays advertising banners on the system interface and running applications, making it difficult to work with the devices. In addition, if triggered by the command and control server, the trojan can modify the code of popular advertising platforms, such as Admob, Facebook, and Mopub, which are used in many programs and games. It replaces their advertising identifiers with its own identifier so that all profits from displaying advertisements in infected applications are transferred to the attackers.

Android.InfectionAds.1 exploits the critical vulnerability CVE-2017-13315 in Android, which allows the trojan to launch system activities. As a result, it can automatically install and uninstall programs without a user’s knowledge. The trojan is based on the PoC code (Proof of Concept) by Chinese researchers, written to prove the possibility of exploiting this system breach.

CVE-2017-13315 falls under the EvilParcel class of vulnerabilities. This means that a number of system components contain an error that allows for alteration of data during the exchange between applications and the operating system. The final value of the specifically generated fragment of the transmitted data will differ from the initial one. Thus, programs are able to bypass operating system checks, obtain higher privileges, and perform previously unavailable actions. As of now, we know of 7 vulnerabilities of this type, but the number may increase over time.

Using EvilParcel, Android.InfectionAds.1 installs the hidden APK file that contains all components of the trojan. Similarly, Android.InfectionAds.1 is able to install its own updates, downloaded from the command and control server, as well as other software or malware. For example, during our analysis, the trojan downloaded and installed the malware Android.InfectionAds.4, one of its own modifications.

An example of how the trojan installs applications without the user’s permission:

Along with EvilParcel, the trojan also exploits another Android vulnerability known as Janus (CVE-2017-13156). This system breach can be used to infect previously installed applications by embedding the trojan’s copy within them. Android.InfectionAds.1 connects to the command and control server and obtains a list of programs that it needs to infect. If it fails to connect to the remote server, it will infect applications specified in the initial settings. Depending on the modification, the list may contain different items. See below an example from one of the versions of Android.InfectionAds.1 we have investigated:

• com.whatsapp (WhatsApp Messenger);
• com.lenovo.anyshare.gps (SHAREit - Transfer & Share);
• com.mxtech.videoplayer.ad (MX Player);
• com.jio.jioplay.tv (JioTV - Live TV & Catch-Up);
• com.jio.media.jiobeats (JioSaavn Music & Radio – including JioMusic);
• com.jiochat.jiochatapp (JioChat: HD Video Call);
• com.jio.join (Jio4GVoice);
• com.good.gamecollection;
• com.opera.mini.native (Opera Mini - fast web browser);
• in.startv.hotstar (Hotstar);
• com.meitu.beautyplusme (PlusMe Camera - Previously BeautyPlus Me);
• com.domobile.applock (AppLock);
• com.touchtype.swiftkey (SwiftKey Keyboard);
• com.flipkart.android (Flipkart Online Shopping App);
• cn.xender (Share Music & Transfer Files – Xender);
• com.eterno (Dailyhunt (Newshunt) - Latest News, LIVE Cricket);
• com.truecaller (Truecaller: Caller ID, spam blocking & call record);
• com.ludo.king (Ludo King™).

To infect software, the trojan embeds its components in APK files without changing the digital signature. Then it installs the modified versions of the apps instead of the originals. Since the vulnerability helps the digital signature of the infected files remain the same, the programs are installed as their own updates. At the same time, EvilParcel helps perform the installation independently from the user. As a result, the affected software continues its normal operations, but with a functioning copy of Android.InfectionAds.1 within it. Once apps are infected, the trojan gets access to their data. For example, if WhatsApp is infected, the trojan gets access to all users’ messages, if a browser is infected, saved logins and passwords are available to the trojan.

The only way to remove the trojan and restore the security of the infected programs is to remove the applications containing it and reinstall their normal versions from reliable sources, such as Google Play. The updated version of Dr.Web Security Space for Android is able to detect EvilParcel vulnerabilities. This feature is available in Security Auditor. You can download a new distribution package from the Doctor Web official website. Soon it will be available on Google Play as well. All Dr. Web products for Android successfully detect and remove known modifications of Android.InfectionAds.1, so the trojan does not pose any threat to our users.

[Read more about Android.InfectionAds.1]

[More about EvilParcel]

[More about Janus]

#Android, #trojan, #malware

April 11, 2019

Russian anti-virus company Doctor Web has updated the Dr.Web Anti-rootkit API (12.0.5.201904100) module in Dr.Web Security Space 12.0, Dr.Web Anti-virus 12.0 and Dr.Web 12.0 for Windows Servers. The update delivers a fix for an identified problem.

Specifically it resolves a threat neutralisation issue involving directory names containing invalid path characters.

The update will be downloaded and installed automatically.

April 11, 2019

Doctor Web researchers discovered that the official website of a well-known video editing software, VSDC, was compromised. The hackers hijacked download links on the website causing visitors to download a dangerous banking trojan, Win32.Bolik.2, and the Trojan.PWS.Stealer (KPOT stealer) along with the editing software.

VSDC is a popular, free software for editing video and sound. According to SimilarWeb statistics, monthly visits of the VSDC website come close to 1.3 million users. However, the security measures taken by the website’s developers often turn out to be insufficient for such traffic volume, which endangers a large number of people.

Last year unknown hackers gained access to the administrative side of the VSDC website and replaced the download links. Instead of the editing software, users received a JavaScript file, which then downloaded the AZORult Stealer, X-Key Keylogger and the DarkVNC backdoor. The VSDC team stated that they closed the vulnerability, but recently we received information about additional cases of infection through their website.

According to our researchers, the VSDC developer’s computer has been compromised several times since the previous incident. One such hack led to the website being compromised again between 2019-02-21 and 2019-03-23. This time hackers took a different approach to spreading the malware: they embedded a malicious JavaScript code inside the VSDC website. Its task was to determine the visitor’s geolocation and replace download links for users from the UK, USA, Canada and Australia. Native website links were substituted by links to another compromised website:

• https://thedoctorwithin[.]com/video_editor_x64.exe
• https://thedoctorwithin[.]com/video_editor_x32.exe
• https://thedoctorwithin[.]com/video_converter.exe

Users that downloaded software from that website also received a dangerous banking trojan, Win32.Bolik.2. Same as its predecessor, Win32.Bolik.1, this malware has qualities of a multicomponent polymorphic file virus. Trojans of this family are designed to perform web injections, traffic intercepts, key-logging and stealing information from different bank-client systems. At the moment we have information on at least 565 cases of infection with this trojan via videosoftdev.com site. It’s worth mentioning that so far only Dr.Web products successfully detect all the trojan’s components.

Additionally, on 22.03.2019 the attackers changed the Win32.Bolik.2 trojan to another malware, a variation of the Trojan.PWS.Stealer, KPOT Stealer. This trojan steals information from browsers, Microsoft accounts, several messengers and some other programs. In just one day it was downloaded by 83 users.

The VSDC developers were notified about the threat; and at the present moment, download links were restored to the originals. However, Doctor Web experts recommend that all VSDC users check their devices with our antivirus.

Indicators of compromise

#banker #banking_trojan #virus

April 10, 2019

Russian anti-virus company Doctor Web has updated its Dr.Web Security Space for Android to version 12.3.2. The update delivers feature upgrades and fixes of known defects.

Improvements in the new version include:

• Ability to detect the EvilParcel vulnerability;
• An improved ability to detect signs of infection in previously installed applications;
• The added ability to detect malicious applications packed with Bangcle, Sechell, and the latest version of Tencent;
• A fix that ensures uninterrupted anti-virus scanning.

To update via the Doctor Web site, you need to download a new distribution file. If the “New app version” option has been enabled in the settings, a notification will be displayed whenever the virus databases are updated. You can start the download directly from this dialogue box.

April 15, 2019

Russian anti-virus company Doctor Web invites all users who have purchased a Dr.Web Security Space for Android license on Google Play but wish to use all Dr.Web’s features—including the Call and SMS Filter and the Anti-theft—to download a distribution of the full version from Doctor Web's site.

Dr.Web anti-viruses with SMS functionality were removed from Google Play as a follow-up to the recent changes in Google’s permission policy—first Dr.Web Security Space for Android Life became inaccessible, and then Dr.Web Security Space for Android was removed too. To comply with the new requirements, we removed the affected protection components from the applications, and now the programs are once again available for download from Google Play, albeit without the Call and SMS filter and the Anti-theft.

Doctor Web invites all customers wanting to use the full version of Dr.Web Security Space for Android to download the application from Doctor Web's official site. You will still be able to use the serial number you acquired from Google Play.

Download the full version of Dr.Web Security Space for Android

#Android #mobile #subscription #Google #Google_Play