Real-time threat news
July 12, 2019
The malware was dubbed
Its window contains a button to “check” for updates to the OpenGL ES interface. When a user taps the window, the trojan simulates a search for new versions of OpenGL ES, but does not actually perform any checks.
When the victim closes the application window,
The backdoor communicates with several command and control servers to receive commands from the attackers and send the collected data. The cybercriminals can also control the trojan via the Firebase Cloud Messaging service.
- sending information on contacts from the contact list to the server;
- sending information on text messages to the server (the investigated version of the trojan did not have the permissions for this);
- sending the phone call history to the server;
- sending the device location to the server;
- downloading and launching an APK or a DEX file using the DexClassLoader class;
- sending the information on the installed software to the server;
- downloading and launching a specified executable file;
- downloading a file from the server;
- uploading a specified file to the server;
- transmitting information on files in the specified directory or a memory card to the server;
- executing a shell command;
- launching the activity specified in a command;
- downloading and installing an Android application;
- displaying a notification specified in a command;
- requesting permission specified in a command;
- sending the list of permissions granted to the trojan to the server;
- not letting the device go into sleep mode for a specified time period.
The trojan AES encrypts all data transmitted to the server. Each request is protected with a unique generated key based on the current time. The same key encrypts the server response.
- automatically, if the system has root access (using a shell command);
- using a system package manager (system software only);
- displaying a standard system installation dialog where the user needs to confirm the installation.
As you can see, this backdoor is a serious threat. Not only does it act as spyware, but it can also be used for phishing because it can display windows and notifications with any content. It can also download and install any other malicious application, as well as execute arbitrary code. For example, at the command of attackers,
Doctor Web has notified Google about the trojan; it was already removed from Google Play at the time of publication.
#Android, #backdoor, #Google_Play, #spyware
Your Android needs protection.
- The first Russian anti-virus for Android
- Over 140 million downloads—just from Google Play
- Available free of charge for users of Dr.Web home products
June 19, 2019
Yandex has submitted a rare sample of the Node.js trojan for research to Doctor Web’s virus laboratory. This malware was distributed via websites with video game cheats and has several versions and components.
When users attempt to download a cheat they download a password-protected 7zip archive to their computers. Inside there is an executable file; which upon launch, will download the requested cheats alongside other trojan’s components.
Upon launching on the victim's device, Trojan.MonsterInstall downloads and installs all the components necessary for its work, gathers information about the system its installed on, and sends it to the developer’s server. After receiving a response, it installs itself in the autorun and starts mining the TurtleCoin cryptocurrency.
Developers of this malware own several websites with game cheats, which they use to spread the malware, but they also infect other similar websites with the same trojan. According to SimilarWeb’s statistics, users browse these websites at least 127,400 times per month.
Websites owned by the malware developers:
Moreover, some cheats from the proplaying[.]ru website turned out to be infected as well.
Doctor Web’s experts recommend that users timely update the anti-virus and avoid downloading suspicious software.
We would also like to thank specialists from Yandex for providing the sample and additional information about the trojan’s points of distribution.
June 14, 2019
The Web Push technology allows websites to send notifications even when the webpage is not open in the browser if the user agrees to that. When it comes to harmless websites, this feature can be useful and convenient. For example, social media can notify the users on new messages, and news agencies can spread information about new articles. However, cybercriminals and unscrupulous advertisers can abuse this technology by spreading advertising and fraudulent notifications that come from hacked or malicious websites.
PC, laptop browsers, as well as mobile devices support these notifications. Typically, the victim gets to a questionable spamming website by clicking a unique link or an advertising banner.
When launched, the trojan loads a website in Google Chrome. The website is specified in the trojan settings. According to its parameters, it performs several redirects to pages of various affiliated programs. Each of them prompts the user to allow notifications. To be convincing, they inform the victim that it is done for verification purposes (for example, that the user is not a robot), or simply hint on which dialog button to click. Thus, they increase the number of successful subscriptions. See examples of such queries in the images below:
After activating the subscription, websites start sending the user numerous notifications of questionable content. Notifications are displayed in the status bar of the operating system even if the browser is closed and the trojan has already been removed. The contents can be anything, from false notifications about cash bonuses or transfers or new messages on social media to advertisements of horoscopes, casinos, goods and services, even various “news”.
Many of them look like real notifications of actual online services and applications installed on the device. For example, they display the logo of a bank, a dating website, a news agency, or a social network, as well as an eye-catching banner. Owners of Android devices can receive dozens of such spam messages per day.
Although these notifications also indicate the address of the website they come from, an unskilled user may fail to notice it, or not give it much thought. See below the examples of fraudulent notifications:
Having clicked a notification, the user is redirected to a website with questionable content. This may include advertising of casinos, betting shops, various Google Play applications, discounts and coupons, fake online polls and prize drawings, aggregators of partner links, and other online resources that vary depending on the country of residence of the user. See examples of such websites below:
Many of these resources are involved in well-known fraudulent schemes for stealing funds, but attackers can also launch an attack to steal confidential data at any time. For example, by sending an “important” notification via the browser on behalf of a bank or a social network. Potential victims can think the fake notification is real and tap it only to be redirected to a phishing site, where they will be prompted to indicate their name, credentials, email addresses, bank card numbers, and other confidential information.
Doctor Web experts believe that cybercriminals will make more active use of this method to promote questionable services, so mobile users should be careful while visiting websites and not subscribe to notifications if the website is unfamiliar or suspicious. If you are already subscribed to spam notifications, perform the following steps:
- Go to the Google Chrome settings, select “Site Settings” and then “Notifications”;
- On the list of websites with notifications, find the website address, tap it, and select “Clear & reset”.
Dr.Web for Android successfully detects and removes all known modifications of
Your Android needs protection.
- The first Russian anti-virus for Android
- Over 140 million downloads—just from Google Play
- Available free of charge for users of Dr.Web home products
May 14, 2019
Our researchers discovered the new threat on April 29. This malware was named
When users open one of those websites, the embedded code detects the visitor’s operating system and depending on that uploads either the backdoor or a trojan. If a visitor uses macOS, their device gets infected with
According to our information, the website spreading
April 12, 2019
The attackers embed the trojan in initially harmless software and then distribute the modified copies via popular third-party Android stores, such as Nine Store and Apkpure. Our experts detected Android.InfectionAds.1 in games and software such as HD Camera, ORG 2018_19\Tabla Piano Guitar Robab Guitar, Euro Farming Simulator 2018, and Touch on Girls. Some of them were installed by at least several thousand mobile device owners. However, the number of infected applications and affected users may be much greater.
When a user launches a program containing a trojan, it extracts auxiliary modules from file resources to decrypt and launch them as well. One of them is designed to display obnoxious ads, while others infect applications and automatically install software.
Android.InfectionAds.1 overlays advertising banners on the system interface and running applications, making it difficult to work with the devices. In addition, if triggered by the command and control server, the trojan can modify the code of popular advertising platforms, such as Admob, Facebook, and Mopub, which are used in many programs and games. It replaces their advertising identifiers with its own identifier so that all profits from displaying advertisements in infected applications are transferred to the attackers.
Android.InfectionAds.1 exploits the critical vulnerability CVE-2017-13315 in Android, which allows the trojan to launch system activities. As a result, it can automatically install and uninstall programs without a user’s knowledge. The trojan is based on the PoC code (Proof of Concept) by Chinese researchers, written to prove the possibility of exploiting this system breach.
CVE-2017-13315 falls under the EvilParcel class of vulnerabilities. This means that a number of system components contain an error that allows for alteration of data during the exchange between applications and the operating system. The final value of the specifically generated fragment of the transmitted data will differ from the initial one. Thus, programs are able to bypass operating system checks, obtain higher privileges, and perform previously unavailable actions. As of now, we know of 7 vulnerabilities of this type, but the number may increase over time.
Using EvilParcel, Android.InfectionAds.1 installs the hidden APK file that contains all components of the trojan. Similarly, Android.InfectionAds.1 is able to install its own updates, downloaded from the command and control server, as well as other software or malware. For example, during our analysis, the trojan downloaded and installed the malware Android.InfectionAds.4, one of its own modifications.
An example of how the trojan installs applications without the user’s permission:
Along with EvilParcel, the trojan also exploits another Android vulnerability known as Janus (CVE-2017-13156). This system breach can be used to infect previously installed applications by embedding the trojan’s copy within them. Android.InfectionAds.1 connects to the command and control server and obtains a list of programs that it needs to infect. If it fails to connect to the remote server, it will infect applications specified in the initial settings. Depending on the modification, the list may contain different items. See below an example from one of the versions of Android.InfectionAds.1 we have investigated:
- com.whatsapp (WhatsApp Messenger);
- com.lenovo.anyshare.gps (SHAREit - Transfer & Share);
- com.mxtech.videoplayer.ad (MX Player);
- com.jio.jioplay.tv (JioTV - Live TV & Catch-Up);
- com.jio.media.jiobeats (JioSaavn Music & Radio – including JioMusic);
- com.jiochat.jiochatapp (JioChat: HD Video Call);
- com.jio.join (Jio4GVoice);
- com.opera.mini.native (Opera Mini - fast web browser);
- in.startv.hotstar (Hotstar);
- com.meitu.beautyplusme (PlusMe Camera - Previously BeautyPlus Me);
- com.domobile.applock (AppLock);
- com.touchtype.swiftkey (SwiftKey Keyboard);
- com.flipkart.android (Flipkart Online Shopping App);
- cn.xender (Share Music & Transfer Files – Xender);
- com.eterno (Dailyhunt (Newshunt) - Latest News, LIVE Cricket);
- com.truecaller (Truecaller: Caller ID, spam blocking & call record);
- com.ludo.king (Ludo King™).
To infect software, the trojan embeds its components in APK files without changing the digital signature. Then it installs the modified versions of the apps instead of the originals. Since the vulnerability helps the digital signature of the infected files remain the same, the programs are installed as their own updates. At the same time, EvilParcel helps perform the installation independently from the user. As a result, the affected software continues its normal operations, but with a functioning copy of Android.InfectionAds.1 within it. Once apps are infected, the trojan gets access to their data. For example, if WhatsApp is infected, the trojan gets access to all users’ messages, if a browser is infected, saved logins and passwords are available to the trojan.
The only way to remove the trojan and restore the security of the infected programs is to remove the applications containing it and reinstall their normal versions from reliable sources, such as Google Play. The updated version of Dr.Web Security Space for Android is able to detect EvilParcel vulnerabilities. This feature is available in Security Auditor. You can download a new distribution package from the Doctor Web official website. Soon it will be available on Google Play as well. All Dr. Web products for Android successfully detect and remove known modifications of Android.InfectionAds.1, so the trojan does not pose any threat to our users.
#Android, #trojan, #malware
April 11, 2019
VSDC is a popular, free software for editing video and sound. According to SimilarWeb statistics, monthly visits of the VSDC website come close to 1.3 million users. However, the security measures taken by the website’s developers often turn out to be insufficient for such traffic volume, which endangers a large number of people.
Users that downloaded software from that website also received a dangerous banking trojan, Win32.Bolik.2. Same as its predecessor,
Additionally, on 22.03.2019 the attackers changed the Win32.Bolik.2 trojan to another malware, a variation of the Trojan.PWS.Stealer, KPOT Stealer. This trojan steals information from browsers, Microsoft accounts, several messengers and some other programs. In just one day it was downloaded by 83 users.
The VSDC developers were notified about the threat; and at the present moment, download links were restored to the originals. However, Doctor Web experts recommend that all VSDC users check their devices with our antivirus.
#banker #banking_trojan #virus
April 8, 2019
Recently several Russian users received phishing emails from well-known international companies such as Audi, Austrian Airlines and S-Bahn Berlin. Those emails were sent from official company addresses and didn’t raise any suspicions. The header and the email itself are written in English or German; but the letter begins with words in Russian saying “money for you”.
At the beginning of the email, a link leads users to the hacked page of a dating website. Then due to malicious code embedded into the website’s stub page users are redirected through several other websites to a phishing one.
Once there, victims see a message saying that their email address won a chance to participate in the international promo called “The lucky e-mail”. If victims agree to participate, they must complete a survey in order to receive the prize money ranging from 10 to 3000 EUR. To increase creditability, the website’s developers added comments from people who allegedly received the prize, including comments from people not satisfied with the size of the reward.
After a few survey questions, the website displays information about the promo, reward size, and withdrawal conditions. One condition is that the winner must pay a commission for exchanging EUR to RUB.
To pay the commission, victims are redirected to a fake payment page where they are supposed to enter their credit card information. Once complete, victims are asked to provide the verification code sent by SMS. When all the steps are completed, the victim’s bank account is debited and their credit card data is left to the hackers. Additionally, no funds are credited to the victim’s bank account.
What’s interesting is how the hackers send the phishing emails. They use official email newsletter signup forms on company websites. Special symbols are allowed in the forms, so it’s possible to send malicious links via official company newsletters. To do this, hackers fill in the “Name” field with words like “Money for you” and the “Last name” with a link to the phishing website. As a result, victims receive an email from the official company address, asking them to confirm the subscription.
Doctor Web researchers recommend using caution when opening links in any emails and not to leave any personal information on suspicious websites.
March 26, 2019
As of now, UC Browser has been downloaded by over 500,000,000 Google Play users. Anyone who has installed this software may be in danger. Doctor Web has detected its hidden ability to download auxiliary components from the Internet. The browser receives commands from the command and control server and downloads new libraries and modules, which add new features and can be used to update the software.
For example, during our analysis, UC Browser downloaded an executable Linux library from a remote server. The library was not malicious; it is designed to work with MS Office documents and PDF files. Initially, this library was not in the browser. After downloading, the program saved the library to its directory and launched it for execution. Thus, the application is actually able to receive and execute code, bypassing the Google Play servers. This violates Google’s rules for software distributed in its app store. The current policy states that applications downloaded from Google Play cannot change their own code or download any software components from third-party sources. These rules were applied to prevent the distribution of modular trojans that download and launch malicious plug-ins. Such trojans include
A potentially dangerous updating feature has been present in the UC Browser since at least 2016. Although the application has not been seen distributing trojans or unwanted software, its ability to load and launch new and unverified modules poses a potential threat. It’s impossible to be sure that cybercriminals will never get ahold of the browser developer’s servers or use the update feature to infect hundreds of millions of Android devices.
The vulnerable feature of UC Browser can be used to perform man-in-the-middle attacks (MITM). To download new plug-ins, the browser sends a request to the command and control server and receives a link to file in response. Since the program communicates with the server over an unsecured channel (the HTTP protocol instead of the encrypted HTTPS), cybercriminals can hook the requests from the application. They can replace the commands with ones containing different addresses. This makes the browser download new modules from malicious server instead of its own command and control server. Since UC Browser works with unsigned plug-ins, it will launch malicious modules without any verification.
See below an example of such an attack, modeled by our virus analysts. The video shows a potential victim who downloads a PDF document via UC Browser and tries to view it. To open the file, the browser tries to download the corresponding plug-in from the command and control server. However, due to the MITM substitution, the browser downloads and launches a different library. This library then creates a text message that says, “PWNED!”.
Thus, MITM attacks can help cybercriminals use UC Browser to spread malicious plug-ins that perform a wide variety of actions. For example, they can display phishing messages to steal usernames, passwords, bank card details, and other personal data. Additionally, trojan modules will be able to access protected browser files and steal passwords stored in the program directory.
Read more about this vulnerability here.
The browser’s “younger brother”, the UC Browser Mini application, can also download untested components, bypassing Google Play servers. It has been equipped with this feature since at least December 2017. So far, over 100,000,000 Google Play users have downloaded the program, putting them all at risk. However, the above MITM attack will not work with UC Browser Mini, unlike UC Browser.
Upon detecting a dangerous feature in UC Browser and UC Browser Mini, Doctor Web specialists contacted the developer of both browsers, but they refused to comment on the matter. So our malware analysts then reported the case to Google, but as of the publication date of this article, both browsers are still available and can download new components, bypassing Google Play servers. Owners of Android devices should independently decide whether to continue using these programs or remove them and wait until they are updated to fix potential vulnerabilities.
Meanwhile, Doctor Web continues monitoring the situation.
Your Android needs protection!
- First Russian anti-virus for Android
- Over 140 million downloads—just from Google Play!
- Available free of charge for users who purchase Dr.Web home products
March 21, 2019
Flexnet is based on the GM Bot Trojan, researched by Doctor Web malware analysts back in February 2015. The malicious app’s source code was published in 2016. Soon, the first versions of Flexnet were created thanks to everything achieved by GM Bot’s authors. Attacks against Android mobile devices using this Trojan continue happening to this day.
The cybercriminals distribute Flexnet Trojans via spam texting. In the messages, the potential victims are encouraged to follow the link and download some program or game. The Trojan disguises itself as applications such as Drug Vokrug (a dating and chatting app), GTA V, tools for Instagram and VKontakte account promotion, as well as other software.
Fig. 1. Example of software icons used by the Trojan.
When launched, the Trojan requests admin privileges, displaying a standard dialog box. If the victim grants the permissions, the Trojan falsely reports an error and removes its icon from the home screen to hide from the user so as not to be removed.
Fig. 2-3. An attempt to request admin privileges and a false error message.
Compared with modern Android bankers, Flexnet’s capabilities are quite limited. The Trojan is capable of hooking and sending text messages, as well as performing USSD requests. However, these functions are enough to steal money using various fraudulent means.
One of them is topping up the in-game accounts of popular computer games via SMS. First, the Trojan checks a user's bank card balance by sending an SMS request to the mobile banking service system. Then it hooks the response message with the account balance and transmits this information to cybercriminals. Next, the attackers request to top up the gaming account, indicating the victim’s phone number and the amount to transfer. The user then receives a text message with a verification code. The Trojan intercepts this message, transfers its contents to the cybercriminals, and finally they give the Trojan a command to send the verification code to confirm the transaction.
See below the example of money theft using this method:
Fig. 4. Top-up of Wargaming accounts. The Trojan hooks the messages from a bank’s billing system and, at the command of cybercriminals, sends a reply with a payment confirmation code to transfer RUB 2,475.
Other fraudulent schemes are implemented in a similar way. For example, the cybercriminals can pay for hosting using money from their victims’ mobile credit. To do this, the Trojan sends text messages with the necessary parameters to certain phone numbers. See below the example of such payment.
Fig. 5. Trojan texting the transfer amount (RUB 299 and RUB 1,000) and account names on the jino.ru hosting service to top up the balance of cybercriminals.
The attackers can steal money even if the victim does not have enough on the balance. They use the credit options provided by mobile carriers. As in other cases, the cybercriminals instruct the Trojan to send a text with the necessary parameters. Owners of the infected devices are oblivious to the money loss because the banker hides all suspicious messages.
Fig. 6. The fraudsters attempt to pay for the My.com service, but the amount on the victim’s mobile credit is not enough to do it. They command the Trojan to use the credit option and successfully perform the transfer. Thus, the device owner is left with a phone debt.
Additionally, the Trojan can transfer money from victims’ bank cards to cybercriminals’ accounts. However, financial institutions use specific algorithms to track suspicious transactions, so the probability of them being blocked is very high, while the above schemes allow the fraudsters to steal relatively small amounts for a long time and go unnoticed.
Another feature of Flexnet involves stealing confidential data. The cybercriminals can get ahold of accounts on social media, online stores, the websites of mobile carriers, and other online services. Knowing the victim’s mobile phone number, the cybercriminals try to log into their account. The service sends a text with a one-time verification code, which the Trojan hooks and sends to the attackers.
Fig. 7. Texts with one-time access codes of various services, hooked by the Trojan.
If the number used on the infected device is not registered with the target services, the cybercriminals can use it to register a new account. In the future, those compromised and newly created accounts can enter the black market and then be used to send spam and arrange phishing attacks.
With the assistance of the REG.ru registrar, several Flexnet command and control servers were blocked, and the cybercriminals no longer control some of the infected devices.
Doctor Web reminds owners of Android smartphones and tablets that software and games should only be installed from reliable sources such as Google Play. You are strongly advised to pay attention to the reviews of other users and use software from trusted developers.
Dr. Web for Android detects all known modifications of the Flexnet Trojan as parts of the
#Android, #banking_Trojan, #two_factor_authentication
March 11, 2019
The game Counter-Strike 1.6 was released by Valve Corporation back in 2000. Despite its rather considerable age, it still has a large fan base. The number of players using official CS 1.6 clients reaches an average of 20,000 people online, while the overall number of game servers registered on Steam exceeds 5,000. Selling, renting, and promoting game servers is now deemed an actual business, and these services can be purchased on various websites. For example, raising a server’s rank for a week costs about 200 rubles, which is not much, but a large number of buyers make this strategy a rather successful business model.
Many owners of popular game servers also raise money from players by selling various privileges such as protection against bans, access to weapons, etc. Some server owners advertise themselves independently, while others purchase server promotion services from contractors. Having paid for a service, customers often remain oblivious as to how exactly their servers are advertised. As it turned out, the developer nicknamed, “Belonard”, resorted to illegal means of promotion. His server infected the devices of players with a Trojan and used their accounts to promote other game servers.
The owner of the malicious server uses the vulnerabilities of the game client and a newly written Trojan as a technical foundation for their business. The Trojan is to infect players’ devices and download malware to secure the Trojan in the system and distribute it to devices of other players. For that, they exploit Remote Code Execution (RCE) vulnerabilities, two of which have been found in the official game client and four in the pirated one.
Once set up in the system, Trojan.Belonard replaces the list of available game servers in the game client and creates proxies on the infected computer to spread the Trojan. As a rule, proxy servers show a lower ping, so other players will see them at the top of the list. By selecting one of them, a player gets redirected to a malicious server where their computer become infected with Trojan.Belonard.
Using this pattern, the developer of the Trojan managed to create a botnet that makes up a considerable part of the CS 1.6 game servers. According to our analysts, out of some 5,000 servers available from the official Steam client, 1,951 were created by the Belonard Trojan. This is 39% of all game servers. A network of this scale allowed the Trojan’s developer to promote other servers for money, adding them to lists of available servers in infected game clients.
We previously reported a similar incident with CS 1.6, where a Trojan could infect a player’s device via a malicious server. However, a user then had to approve the download of malicious files, while this time, a Trojan attacks devices unnoticed by the users. Doctor Web have informed Valve about these and other vulnerabilities of the game, but as of now, there is no data on when the vulnerabilities will be fixed.
Infection of a client
Trojan.Belonard consists of 11 components and operates under different scenarios, depending on the game client. If the official client is used, the Trojan infects the device using an RCE vulnerability, exploited by the malicious server, and then establishes in the system. A clean pirated client is infected the same way. If a user downloads an infected client from the website of the owner of the malicious server, the Trojan’s persistence in the system is ensured after the first launch of the game.
Let us touch upon the process of infecting a client in more detail. A player launches the official Steam client and selects a game server. Upon connecting to a malicious server, it exploits an RCE vulnerability, uploading one of the malicious libraries to a victim’s device. Depending on the type of vulnerability, one of two libraries will be downloaded and executed: client.dll (Trojan.Belonard.1) or Mssv24.asi (Trojan.Belonard.5).
Once on the victim’s device, Trojan.Belonard.1 deletes any .dat files that are in the same directory with the library process file. After that, the malicious library connects to the command and control server, fuztxhus.valve-ms[.]ru:28445, and sends it an encrypted request to download the file Mp3enc.asi (Trojan.Belonard.2). The server then sends the encrypted file in response.
This is a screenshot of a decrypted data packet from the server:
Installation into the client
Infection of the official or pirated client is performed using the specific feature of the Counter-Strike client. When launched, the game automatically downloads any ASI files from the game root.
The client downloaded from the website of the Trojan’s developer is already infected with Trojan.Belonard.10 (the file name is Mssv36.asi), but the trojan installs in the system differently than in clean versions of game clients. After installation of an infected client, Trojan.Belonard.10 checks for one of its components in the user's OS. If there is none, it drops the component from its body and downloads Trojan.Belonard.5 (the file name is Mssv24.asi) into its process memory. Like many other modules, Trojan.Belonard.10 changes the date and time of creation, modification, or access to the file, so that the Trojan’s files cannot be found by sorting the contents of the folder by creation date.
After installing a new component, Trojan.Belonard.10 remains in the system and acts as a protector of the client. It filters requests, files, and commands received from other game servers and transfers data about attempted changes to the client to the Trojan developer’s server.
Trojan.Belonard.5 receives information about the running process and the paths to the module in DllMain. If the process name is not rundll32.exe, it starts a separate threads for subsequent actions. In the running thread, Trojan.Belonard.5 creates the key [HKCU\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers] '<path to the executable file process>', assigns it the value “RUNASADMIN”, and checks the module name. If it is not “Mssv24.asi”, it copies itself in the “Mssv24.asi” module, deletes the version with a different name, and launches Trojan.Belonard.3 (the file name is Mssv16.asi). If the name matches, it immediately downloads and launches the Trojan.
Embedment in a clean client is performed by Trojan.Belonard.2. After download, it checks in DllMain the name of the process in which client.dll(Trojan.Belonard.1) is loaded. If it is not rundll32.exe, it creates a thread with the key [HKCU\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers] '<path to the executable file process>’, and assigns it the value “RUNASADMIN”. After that, it collects data about the user’s device and extracts information from the DialogGamePage.res file. Then it sends the collected data to the server of the Trojan developer in an encrypted format.
Collected system data structure:
In response, the server sends the Mssv16.asi file,(Trojan.Belonard.3). Meta-information about the new module is saved in the file DialogGamePage.res, while Trojan.Belonard.5 is removed from the user’s device.
Installation in the system
The process of ensuring persistence in the system starts with Trojan.Belonard.3. Once on the device, it removes Trojan.Belonard.5 and checks the process, in the context of which it runs. If it is not rundll32.exe, it saves two other Trojans to %WINDIR%\System32\: Trojan.Belonard.7 (the file name is WinDHCP.dll) and Trojan.Belonard.6 (davapi.dll). At the same time, unlike Trojan.Belonard.5, the seventh and sixth ones are stored within the Trojan in a disassembled form. The bodies of these two Trojans are divided into blocks of 0xFFFC bytes (the last block may be smaller). When saved to disk, the Trojan assembles the blocks together to obtain working files.
Having assembled the Trojans, Trojan.Belonard.3 creates a WinDHCP service to run WinDHCP.dll (Trojan.Belonard.7) in the context of svchost.exe. Depending on language settings, the OS uses texts in Russian or English to set service parameters.
WinDHCP service parameters:
- Service name: “Windows DHCP Service” or “Служба Windows DHCP”;
- Description: “Windows Dynamic Host Configuration Protocol Service” or “Служба протокола динамической настройки узла Windows”;
- The ImagePath parameter is specified as “%SystemRoot%\System32\svchost.exe -k netsvcs”, while ServiceDll specifies the path to the Trojan library.
After that, Trojan.Belonard.3 regularly checks if the WinDHCP service is running. If it is not running, it reinstalls the service.
Trojan.Belonard.7 is WinDHCP.dll with a ServiceMain exported function, installed on the infected device by an autorun service. Its purpose is to check the “Tag” parameter in the registry of the key “HKLM\\SYSTEM\\CurrentControlSet\\Services\\WinDHCP”. If it is set to 0, Trojan.Belonard.7 loads the davapi.dll library (Trojan.Belonard.6) and calls its exported function, passing a pointer to a SERVICE_STATUS as an argument, which reflects the status of the WinDHCP service. Then it waits for 1 second and checks the “Tag” parameter once more. If the value does not match 0, Trojan.Belonard.7 loads the spwinres.dll library (Trojan.Belonard.4), which is an older version of Trojan.Belonard.6. After that, it calls spwinres.dll’s exported function, passing a pointer to a SERVICE_STATUS as an argument, which reflects the status of the WinDHCP service.
The Trojan repeats these actions every second.
WinDHCP service parameters from our customer’s report:
<RegistryKey Name="WinDHCP" Subkeys="1" Values="11">
<RegistryKey Name="Parameters" Subkeys="0" Values="1">
<RegistryValue Name="ServiceDll" Type="REG_EXPAND_SZ" SizeInBytes="68" Value="%SystemRoot%\system32\WinDHCP.dll" />
<RegistryValue Name="Type" Type="REG_DWORD" Value="32" />
<RegistryValue Name="Start" Type="REG_DWORD" Value="2" />
<RegistryValue Name="ErrorControl" Type="REG_DWORD" Value="0" />
<RegistryValue Name="ImagePath" Type="REG_EXPAND_SZ" SizeInBytes="90" Value="%SystemRoot%\System32\svchost.exe -k netsvcs" />
<RegistryValue Name="DisplayName" Type="REG_SZ" Value="Служба Windows DHCP" />
<RegistryValue Name="ObjectName" Type="REG_SZ" Value="LocalSystem" />
<RegistryValue Name="Description" Type="REG_SZ" Value="Служба протокола динамической настройки узла Windows" />
<RegistryValue Name="Tag" Type="REG_DWORD" Value="0" />
<RegistryValue Name="Data" Type="REG_BINARY" SizeInBytes="32" Value="f0dd5c3aeda155767042fa9f58ade24681af5fbd45d5df9f55a759bd65bc0b7e" />
<RegistryValue Name="Scheme" Type="REG_BINARY" SizeInBytes="16" Value="dcef62f71f8564291226d1628278239e" />
<RegistryValue Name="Info" Type="REG_BINARY" SizeInBytes="32" Value="55926164986c6020c60ad81b887c616db85f191fda743d470f392bb45975dfeb" />
Before the startup of all functions, Trojan.Belonard.6 checks the “Tag” and “Data” parameters in the WinDHCP service registry. The “Data” parameter must contain an array of bytes used to generate the AES key. If there is none, the Trojan uses the openssl library to generate 32 random bytes, which will later be used to generate the encryption key. After that, the Trojan reads the “Info” and “Scheme” parameters of the WinDHCP service. In “Scheme”, the Trojan stores 4 parameters, encrypted with AES. “Info” stores the SHA256 hash of the list of installed programs.
Having collected this data, Trojan.Belonard.6 decrypts the address of the C&C server — oihcyenw.valve-ms[.]ru — and tries to establish a connection. If it fails, the Trojan uses DGA to generate domains in the .ru zone. However, an error in the domain generation code prevents the algorithm from creating the domains intended for the Trojan developer.
After sending the encrypted information, the Trojan receives a response from the server, decrypts it and saves the transferred files to %WINDIR%\System32\. This data contains the Trojans wmcodecs.dll (Trojan.Belonard.8) and ssdp32.dll (Trojan.Belonard.9).
Apart from the above functions, Trojan.Belonard.6 also triggers the following actions at random intervals:
- Search for running Counter-Strike clients;
- Launch of Trojan.Belonard.9;
- Connecting to the developer’s server.
Periods can be changed at the command from the C&C server.
Payload and distribution
Belonard also installs in new game clients found on the device. This is performed by Trojan.Belonard.8 and Trojan.Belonard.6.
Trojan.Belonard.8 initializes a container with data about Counter-Strike 1.6 client file names and their SHA256 hashes. Trojan.Belonard.6 starts to search for installed game clients. If the Trojan finds a running client, it checks the list of files and their SHA256 hashes against the data received from Trojan.Belonard.8. If it does not match, Trojan.Belonard.8 ends the clean client process, and then drops the file hl.exe to the game directory. This file is only needed to display the following error message upon loading the game “Could not load game. Please try again at a later time.” This allows the Trojan to gain time for replacing the files of the client. When it is done, the Trojan replaces hl.exe with a working file and the game starts without an error.
The Trojan deletes the following client files:
Depending on the OS language settings, the Trojan downloads English or Russian game menu files.
Modifications to the game client contain files of Trojan.Belonard.10, as well as an advertisement of the Trojan developer’s websites. When a player starts the game, their nickname will change to the address of the website where an infected game client can be downloaded, while the game menu will show a link to the VKontakte CS 1.6 community with more than 11,500 subscribers.
The Trojan’s payload is to emulate a number of fake game servers on the user’s device. To do this, the Trojan transfers information about the game client to the developer’s server and receives encrypted parameters for creating fake servers in response.
Trojan.Belonard.9 creates proxy game servers and registers them with the Steam API. Game server ports are defined sequentially from the lowest value of game_srv_low_port specified by the server. The server also sets the value for fakesrvbatch, which determines the number of protocol emulator threads. The emulator supports basic requests to a Goldsource engine game server: A2S_INFO, A2S_PLAYER, A2A_PING, receiving the “challenge steam/non-steam client” request, as well as the “connect” command of the Counter-Strike client. After responding to the “connect” command, the Trojan tracks the first and the second packet from the client.
After exchanging packets, the Trojan sends the last packet, svc_director, with a DRC_CMD_STUFFTEXT type of message, which enables the execution of arbitrary commands of the Counter-Strike client. This issue has been known to Valve since 2014 and has not been fixed yet. Thus, attempting to connect to the game proxy server, the player will be redirected to the malicious server. After that, the Trojan developer will be able to exploit the vulnerabilities of the user's game client to install Trojan.Belonard.
It is worth mentioning that Trojan.Belonard.9 contains a bug, which allows us to detect fake game servers, created by the Trojan. Moreover, some of those servers can be identified by the name: in the “Game” column, the fake server will have a string “Counter-Strike n”, where n can be a number from 1 to 3.
Belonard uses encryption to store data in the Trojan and communicate with the server. It stores the encrypted name of the C&C server, as well as some lines of code and library names. There is one encryption algorithm with different constants for individual modules of the Trojan. The older versions of the Trojan used another algorithm to encrypt lines of code.
Decryption algorithm in Trojan.Belonard.2:
s = ''
c = ord(d)
for i in range(len(d)-1):
c = (ord(d[i+1]) + 0xe2*c - 0x2f*ord(d[i]) - 0x58) & 0xff
s += chr(c)
Decryption algorithm from the older versions:
s = 'f'
for i in range(0,len(data)-1):
s += chr((ord(s[i]) + ord(data[i]))&0xff)
Belonard uses a more sophisticated encryption to exchange data with the command and control server. Before sending the information to the server, the Trojan turns it into a different structure for each module. Collected data is encrypted by RSA using the public key stored within the malware. However, it must be mentioned that RSA is used for encryption of first 342 bytes of data only. If a module sends a packet of data larger than 342 bytes, only this much will be encrypted by RSA; the rest of the data will be encrypted by AES. The data for AES key is stored in a part, encrypted by RSA key. The data for AES key is stored in a part, encrypted by RSA key, along with the data needed for generating AES key, which is used by C&C server for encrypting its answers.
Then, after a zero byte added at the beginning of the packet, the data is sent to the C&C server. To which the server replies with an encrypted packet that contains information about the size of the payload and its SHA256 hash in its header, which is needed to be verified against the AES key.
The server may reply with
Decryption is performed with AES in a CFB mode with a block size of 128 bits and the key sent earlier to the server. The first 36 bytes of data are decrypted first, including the last DWORD value that shows the actual payload with the header. The DWORD value adds to the AES key and is hashed using SHA256. The resulting hash must match the first 32 decrypted bytes. The rest of the received data is decrypted only after this.
Doctor Web’s analysts took all necessary measures in order to neutralize the Belonard trojan and stop botnet from growing. The delegation of the domain names used by the malware developer was suspended with the help of REG.ru domain name registrar. Since redirection from a fake game server to the malicious one happened via domain name, CS 1.6 players will no longer be in danger of connecting to the malicious server and getting infected by the Belonard trojan. This interrupted work of almost all the components of the malware.
Beyond that, Dr.Web’s virus database was updated with entries to detect all the Belonard components. The modules that switched to DGA are currently monitored. After all the necessary actions were taken, the sinkhole server registered 127 infected game clients. In addition to that, our telemetry showed that Dr.Web anti-virus detected modules of the Trojan.Belonard on 1004 devices of our clients.
At the present moment, Belonard botnet can be considered neutralized; but in order to ensure the safety of Counter-Strike game clients, it is necessary to close current vulnerabilities.
Indicators of compromise
8bbc0ebc85648bafdba19369dff39dfbd88bc297 - Backdoored Counter-Strike 1.6 client
200f80df85b7c9b47809b83a4a2f2459cae0dd01 - Backdoored Counter-Strike 1.6 client
8579e4efe29cb999aaedad9122e2c10a50154afb - Backdoored Counter-Strike 1.6 client
ce9f0450dafda6c48580970b7f4e8aea23a7512a - client.dll - Trojan.Belonard.1
75ec1a47404193c1a6a0b1fb61a414b7a2269d08 - Mp3enc.asi - Trojan.Belonard.2
4bdb31d4d410fbbc56bd8dd3308e20a05a5fce45 - Mp3enc.asi - Trojan.Belonard.2
a0ea9b06f4cb548b7b2ea88713bd4316c5e89f32 - Mssv36.asi - Trojan.Belonard.10
e6f2f408c8d90cd9ed9446b65f4b74f945ead41b - FileSystem.asi - Trojan.Belonard.11
15879cfa3e5e4463ef15df477ba1717015652497 - Mssv24.asi - Trojan.Belonard.5
4b4da2c0a992d5f7884df6ea9cc0094976c1b4b3 - Mssv24.asi - Trojan.Belonard.5
6813cca586ea1c26cd7e7310985b4b570b920803 - Mssv24.asi - Trojan.Belonard.5
6b03e0dd379965ba76b1c3d2c0a97465329364f2 - Mssv16.asi - Trojan.Belonard.3
2bf76c89467cb7c1b8c0a655609c038ae99368e9 - Mssv16.asi - Trojan.Belonard.3
d37b21fe222237e57bc589542de420fbdaa45804 - Mssv16.asi - Trojan.Belonard.3
72a311bcca1611cf8f5d4d9b4650bc8fead263f1 - Mssv16.asi - Trojan.Belonard.3
73ba54f9272468fbec8b1d0920b3284a197b3915 - davapi.dll - Trojan.Belonard.6
d6f2a7f09d406b4f239efb2d9334551f16b4de16 - davapi.dll - Trojan.Belonard.6
a77d43993ba690fda5c35ebe4ea2770e749de373 - spwinres.dll - Trojan.Belonard.4
8165872f1dbbb04a2eedf7818e16d8e40c17ce5e - WinDHCP.dll - Trojan.Belonard.7
027340983694446b0312abcac72585470bf362da - WinDHCP.dll - Trojan.Belonard.7
93fe587a5a60a380d9a2d5f335d3e17a86c2c0d8 - wmcodecs.dll - Trojan.Belonard.8
89dfc713cdfd4a8cd958f5f744ca7c6af219e4a4 - wmcodecs.dll - Trojan.Belonard.8
2420d5ad17b21bedd55309b6d7ff9e30be1a2de1 - ssdp32.dll - Trojan.Belonard.9
client.dll - Trojan.Belonard.1
Mp3enc.asi - Trojan.Belonard.2
Mssv16.asi - Trojan.Belonard.3
spwinres.dll - Trojan.Belonard.4
Mssv24.asi - Trojan.Belonard.5
davapi.dll - Trojan.Belonard.6
WinDHCP.dll - Trojan.Belonard.7
wmcodecs.dll - Trojan.Belonard.8
ssdp32.dll - Trojan.Belonard.9
Mssv36.asi - Trojan.Belonard.10
FileSystem.asi - Trojan.Belonard.11
March 11, 2019
Trojan.Belonard gets installed on a device upon connecting to a malicious game server. The Trojan exploits vulnerabilities of the game client and is able to infect both the Steam versions and the pirated builds of Counter-Strike 1.6 (CS 1.6). Once on the victim’s computer, the Trojan replaces the files of the client and creates proxies to infect other users. Such a scheme usually serves to create a network of infected computers, which can be used to promote game servers for money.
Despite the game’s long history, the number of players using official CS 1.6 clients is estimated at 20,000 people online, while the total number of game servers registered on Steam exceeds 5,000. Selling, renting, and promoting game servers is now deemed actual business, and these services can be purchased with various websites. Server owners often pay for this, oblivious that their server can be promoted by malware. These illegal methods were used by the developer nicknamed “Belonard”; his server infected other players with a Trojan to promote other servers via their accounts.
At the moment, the number of malicious CS 1.6 servers created by the Belonard Trojan hits 39% of all official servers registered on Steam. The CS community has been facing this issue for a long time; but, unfortunately, up until now, anti-viruses have only been able to identify parts of the threat, but not the Belonard Trojan in its entirety. Now all modules of the Belonard Trojan are successfully detected by Dr.Web’s products and do not pose a threat to our customers. Learn more about the Belonard Trojan and its operation in our study.
February 19, 2019
During February, malware analysts revealed 39 new modifications of the
The main function of
Since Trojans display banners almost continuously, cybercriminals quickly cover their expenses for promoting their software via popular online services.
To stay on smartphones and tablets for as long as possible, the
Almost all malware of the
Android users installed many of these malicious applications after viewing ads on Instagram and YouTube, where the cybercriminals promised functional and powerful photo and video processing tools. At first glance, the Trojans match the description and do not arouse suspicion among potential victims. However, apart from one or several basic functions, they contain nothing of what was declared. Here is what users complain about in the reviews:
An active promotional campaign set up by the cybercriminals attracts a large number of mobile device users and increases the number of downloads. Some of these Trojans even get featured in Google Play sections promoting new products and applications gaining popularity, which also increases the number of users that download the malware.
Information about all Trojans that our experts have found as of the publication date of this material is in the summary spreadsheet. However, since cybercriminals constantly create new
|Application package name||Number of downloads|
|com.funshionstyle.ledcaller||1 000 000+|
|com.wind.pics.blur.editor||1 000 000+|
|com.photo.cut.out.studio||1 000 000+|
|com.mobwontools.pixel.blur.cam||1 000 000+|
|com.selfie.beauty.candy.camera.pro||1 000 000+|
|com.cam.air.crush||1 000 000+|
|com.fancy.photo.blur.editor||1 000 000+|
Users are advised to perform a full scan of mobile devices with Dr.Web for Android and remove the Trojans that are detected.
Users of smartphones and tablets should be wary of ads on the Internet and avoid downloading all advertised software, even if it is distributed via Google Play. Only install applications from trusted developers and pay attention to the reviews from other users.
#Android, #fraud, #Google_Play, #Trojan
January 22, 2019
In Autumn 2018 cryptocurrency mining enthusiasts began noticing messages suggesting they install a tool for monitoring cryptocurrency prices. The app developers promised a certified, trusted and free widget. At first glance, this program doesn’t raise any suspicions. It has a valid digital signature and works exactly as promised. But behind this seemingly flawless functionality, there’s a hidden catch: it will steal your private data.
Upon installation, the program compiles and runs malicious code downloaded from the developer’s personal Github account. Once completed, it uploads Trojan.PWS.Stealer.24943, also known among malware developers as AZORult, to a victim’s device. This Trojan allows cybercriminals to steal a vast amount of private data, including passwords from cryptocurrency wallets.
In most cases encountered by Doctor Web researchers, this malware was distributed in English on forums dedicated to cryptocurrency mining. It was seen less often on Polish and Russian forums dedicated to the same subject.
At present, the Trojan is still available on several file exchanges, as well as on the Github account mentioned earlier. Dr.Web products successfully detect and remove this type of malware. That said, our cybersecurity researchers strongly advise you to timely renew your anti-virus subscription and install all the latest updates.
#cryptocurrency #mining #Trojan
December 6, 2018
Cybercriminals were distributing
When the user permits the Trojan to access accessibility features, it closes the window, starts the malicious service, and uses it to continue operating in the background.
Moreover, the malware uses the special features for self-defense, tracking a number of antiviruses and utilities. When they launch, it tries to close their windows by pressing the “back" button 4 times.
When the Banco Itaú is launched, the Trojan uses the accessibility feature to read the contents of its window and transfer information on the balance of the user's bank account to the attackers. It then navigates to account management in the application, where it copies and sends the iToken key, a security code used to verify electronic transactions, to the virus writers.
Upon startup of Bradesco, the Trojan reads the victim’s account information and tries to automatically login to it by entering the PIN code received from the command and control server.
Upon receiving a command to launch an SMS application, the Trojan opens it, reads and saves the text of the available messages and sends them to the server. It also recognizes the messages from CaixaBank S.A. and transmits them in a separate request.
Cybercriminals also use
See an example of such phishing pages below:
Confidential information, entered by the victim, is transmitted to the attackers, and then the Trojan closes the fraudulent window and re-launches the compromised application in order not to raise suspicion from the user for collapsing and closing the app.
Doctor Web recommends you install Android software with extra care, even if you obtain them from Google Play. Attackers can fake well-known software, as well as create seemingly harmless applications. To reduce the risk of installing a Trojan, you should pay attention to the name of the developer, the date when the app appeared on Google Play, the number of downloads, and reviews from other users. In addition, please use an antivirus.
All known modifications to the
#Android, #Google_Play, #banking_Trojan, #phishing
November 23, 2018
The Trojan targets users of DynDNS software, which allows a subdomain to be bound to a computer that has no static IP address. The virus writer created a dnsip.ru webpage from which this program can allegedly be downloaded for free. The virus writer also owns the dns-free.com domain, and it automatically redirects visitors to dnsip.ru.
The website does indeed make an archive available for download. The archive contains the executable file setup.exe, which in reality is not a DynDNS installer, but a downloader. It stores the name of the file downloaded from the Internet; in our sample this was Setup100.arj.
Despite the telltale extension, Setup100.arj is not an ARJ archive, but an executable MZPE file that has had three of its values modified so that it is not recognized as MZPE by automated analysis tools and other applications.
First, it uses PowerShell to disable Windows Defender, and, for greater reliability, it makes changes to the registry keys running this program.
Then the dropper saves the files instsrv.exe, srvany.exe, dnshost.exe, and yandexservice.exe to the System32 folder. Instsrv.exe, srvany.exe, and dnshost.exe are Microsoft utilities for creating user-defined services in Windows, while yandexservice.exe is the
The malware analysts also investigated another component of the Trojan: the executable file dubbed dnsservice.exe, which is also installed on the infected computer as a Windows service named DNS Service. The specific debug lines that the virus writer forgot to delete in his malware programs are a giveaway:
C:\Boris\Программы\BDown\Project1.vbp C:\Boris\Программы\BarmashSetService\Project1.vbp C:\Boris\Программы\Barmash.en.new\Project1.vbp C:\Boris\Программы\Barmash_en_Restarter3\Project1.vbp
This component is distributed as the file dnsservice.arj, which is disguised as an archive from barmash.ru.
All known modifications of
According to data gathered by Doctor Web, as of now, about 1,400 users have been affected by this Trojan, with the first infections occurring in 2013. The complete list of indicators of compromise can be found here.
November 20, 2018
The Trojan, added to the Dr.Web virus databases as
Once successfully installed, the malicious script downloads a version of the
Once installed in the system,
After that, the malware tries to find running anti-virus software services with the names safedog, aegis, yunsuo, clamd, avast, avgd, cmdavd, cmdmgd, drweb-configd, drweb-spider-kmod, esets, and xmirrord. If it detects them, the Trojan does not simply end the antivirus’s process, but also uses package managers to remove its files as well as the directory in which the product was installed.
After completing all these steps,
The full list of indicators of compromise can be found here: https://github.com/DoctorWebLtd/malware-iocs/tree/master/Linux.BtcMine.174.
#Linux #cryptocurrency #mining #Trojan
November 16, 2018
The Trojan, dubbed
Once launched by a user, the Trojan requests permission to manage and make phone calls and send and receive SMS. Android devices below version 6.0 automatically grant these permissions during the Trojan’s installation. See the below example of a request:
The phone number entered by the victim is transferred to the cloud database. The user is then shown a second dialog telling them to wait for “registration” confirmation. The dialog has a “Submit” button. When pressed, it launches a game built into the
If the Trojan was successful when it uploaded the information about the mobile device to the cloud, it hides its icon from the home screen and then automatically runs in the background whenever the infected smartphone or tablet is on.
All known modifications of
October 22, 2018
Information about the detected malicious applications is in the table below:
|App name||Software package name||Version|
|Extreme SUV 4x4 Driving Simulator||com.quoac.extreme.suv.driving||0.3|
|Moto Extreme Racer 3D||com.quoac.moto.extreme.racing||0.3|
|SUV City Traffic Racer||com.suv.traffic.racer||0.3|
|Sports Car Racing||com.quoac.sports.car.racing||0.3|
|Crime Traffic Racer||com.quoac.crime.traffic.game||0.3|
|Police Car Traffic||com.quoac.police.car.traffic||0.3|
|Tank Traffic Racer||com.quoac.tank.traffic.racer||0.3|
|Extreme Car Driving Simulator||com.quoac.extreme.car.driving.simulator||0.3|
|Russian Cars Retro||com.quoac.russian.car.retro||0.3|
|Motocross Beach Jumping - Bike Stund Racing||com.quoac.motocross.beach.jumping||0.4|
|Luxury Supercar Simulator||com.quoac.luxury.supercar.simulator||0.3|
|Crime Crazy Security||com.quoac.crime.crazy.security||0.4|
|Furious Extreme Drift||com.quoac.furious.extreme.drift||0.3|
|Drift Car Driving Simulator||com.quoac.car.driving.simulator||0.5|
When granted the necessary privileges, the Trojan connects to the remote server and downloads an APK file in the background. It then offers the device user to install it. If the user refuses, the malware tries to perform the installation again, showing the same dialog every 20 seconds until the user agrees to install the application. The file the Trojan downloads and installs is the malware.
All known modifications of the Downloader Trojan
Your Android needs protection!
- First Russian anti-virus for Android
- Over 135 million downloads—just from Google Play!
- Available free of charge for users who purchase Dr.Web home products
October 18, 2018
The Trojan, dubbed
When the malware was hidden from the user, it downloaded an APK file from a remote server in the background and saved it to the memory card. It then kept prompting the user to install the downloaded application until the user agreed. See the sample dialog below shown by
Doctor Web experts notified Google about the dangerous software found on Google Play and it has been promptly removed from the list.
Dr.Web for Android successfully detects and removes all the indicated Trojans from mobile devices, so they do not pose any threat to our users.
Your Android needs protection!
- First Russian anti-virus for Android
- Over 135 million downloads—just from Google Play!
- Available free of charge for users who purchase Dr.Web home products
October 18, 2018
The online scammer, nicknamed Investimer, Hyipblock, or Mmpower, uses a wide range of commercial Trojans that are currently prevalent in the underground market, including the stealers Eredel, AZORult, Kpot, Kratos, N0F1L3, ACRUX, Predator The Thief, Arkei, and Pony. The attacker's arsenal also boasts the TeamViewer-based Spy-Agent backdoor, the DarkVNC and HVNC backdoors that access the affected computer via the VNC protocol, as well as a backdoor based on RMS. The cybercriminal widely applies the Smoke Loader and has previously used a Loader by Danij, as well as a miner Trojan with a clipper plug-in that changes the clipboard contents. Investimer hosts their controlling servers on websites such as jino.ru, marosnet.ru, and hostlife.net. Most of them are Cloudflare protected and hide their actual IP address.
Investimer is mainly focused on cryptocurrency fraud, primarily with Dogecoin. For this, they have created many phishing websites that replicate actual online resources. Among them is a fake cryptocurrency exchange that allegedly requires special client software, which in fact is the Spy-Agent Trojan that downloads to the victim’s computer.
Another “startup” of the scammer is the non-existent pool of Dogecoin miners for rent at competitive prices. To work with the pool, the potential victim downloads an alleged client application in a password-protected archive. The password prevents antivirus software from scanning the archive and removing it at the downloading stage. Clearly, the archive contains a stealer Trojan.
Another fraudulent project by Investimer involves the Etherium cryptocurrency. The scammer offers potential victims rewards for browsing websites if they install a malicious program under the guise of a special app. The Trojan starts downloading automatically upon visiting the website. The scammer even put an effort into writing a few fake reviews about the service.
Another way Investimer practices online fraud is through online lotteries where the prize is in Dogecoins. Of course, the lotteries are arranged in such a way that it is impossible for third-party participants to win; only the organizer can make money. Nevertheless, as we write, more than 5,800 users have already registered to Investimer’s lottery.
Apart from online lotteries, Investimer offers rewards in Dogecoins for viewing web pages with ads. This project has over 11,000 registered users.
Naturally, when a victim tries to download a browser plug-in to make money while surfing the Internet from a “partner” website, they install a backdoor on their computer. This in turn, usually installs a Trojan stealer on the infected device.
Investimer is also not above traditional phishing. They have created a website that offers a reward for bringing new users to the Etherium payment system, but actually collects the information users enter during registration and transfers it to the attacker.
Apart from the above, Investimer tried to copy the official cryptobrowser.site. The original project creators have developed a new web browser that runs a cryptocurrency miner in the background while the user browses web pages. The fake website created by Investimer is not of a particularly high quality: some images are not displayed, the license agreement contains the email address of the real developers, and the Trojan posing as the browser is downloaded from another domain. The picture below shows Investimer’s fake website (left) and the original website (right).
Investimer reportedly has been involved in other online scams as well, including online games based on the financial pyramid principle. The attacker uses the information collected by Trojan stealers primarily to steal cryptocurrency and money from the victim’s wallets in various e-payment systems. It is worth noting that Investimer’s control panel for access to hacked computers contains obscene comments about each victim, which we cannot quote for censorship reasons.
The general scheme the cybercriminal uses to deceive Internet users is as follows: the potential victim is, by various means, lured to a fraudulent website that requires the user to download a certain client program to use it. However, instead of a client, the victim downloads a Trojan that installs other malware to the computer when the attacker signals it. Such programs (mainly stealer Trojans) steal confidential data from an infected device, and the scammer later uses it to steal cryptocurrency and money from the victim’s accounts through payment systems.
Doctor Web analysts believe the total number of users affected by Investimer’s illegal activities exceeds 10,000. Our experts estimate the damage to the victims is at over $23,000, in addition to more than 182,000 Dogecoins, which equals about $900 at the current rate.
Addresses of all websites created by Investimer are in the Dr.Web SpIDer Gate databases and all malware the scammer uses has been successfully detected and removed by our Antivirus.
The full list of indicators of compromise is located at https://github.com/DoctorWebLtd/malware-iocs/tree/master/investimer.
#criminal #cryptocurrencies #mining #fraud
October 8, 2018
The emails contain the logo and corporate identity of the company Alibaba Group, which owns AliExpress. Email recipients are addressed by name, the senders likely believing that this is bound to make the emails look more legitimate. Doctor Web analysts believe that the fraudsters could have gotten the actual AliExpress customer information from a purchased or stolen database of one of the many cashback services. The emails claim that the user had previously made purchases and left reviews on AliExpress, which is why they are being granted access to a special online store offering numerous discounts and gifts.
The link in the email leads to a website designed to look like an online store, but when trying to purchase any of the goods, the user is redirected to other ecommerce sites, many of which have previously been reported for fraud (e.g., for sending goods that do not match the description, reselling products at inflated prices, or selling low-quality counterfeit copies of popular goods) and are listed in the Dr.Web Parental Control and Office Control databases.
A quick investigation by Doctor Web also showed that the street address indicated on the website of a Moscow online store corresponds to a school building, and the tax number specified belongs to a non-existent company. Moreover, the website provides no information on the terms of delivery, and the contact email address is registered with the free email service provider mail.ru.
Doctor Web experts advise users to take these simple steps before purchasing goods from unfamiliar websites:
- Cross-check the address indicated on the About Us page with an online map, Panoramic Street Images by Yandex, or Google Street View. It is quite possible that instead of an office center or a shopping mall, you will see a school, a parking lot, or a garbage dump.
- Check the tax number on the website to see if the company exists and whether its name matches the owner of the online store. For Russian companies, you can do this online for free, using the page of the Federal Tax Service.
- Make sure that the website describes in detail the payment methods and delivery terms, as well as delivery options and rates.
- Carefully review the contacts on the website. A legitimate company is unlikely to use free email accounts.
#fraud #fraudulent_email #nonrecommended_websites
September 25, 2018
The Trojan, added to the Dr.Web virus databases under the name
The malicious program attempts to determine whether it is running in a virtual environment. When a virtual machine is detected, the program terminates. The banker also monitors the Windows local language settings. If the system language is not Portuguese, the Trojan does not perform any actions.
The loader module
When users open the Internet banking sites of various Brazilian financial institutions in the browser window,
This scheme of replacing the content of original, user-viewed web pages with the "bank-client" systems is used by many banking Trojans. Often they threaten credit institutions’ clients not only in Brazil, but around the world. Over the past month, Doctor Web specialists have identified over 340 unique
#banker #banking_Trojan #online-banking #Trojan
August 29, 2018
Cybercriminals use one of the malicious programs called
This Trojan opens one of the phishing websites where a user is invited to download a well-known program or to receive a reward. A potential victim is asked to provide their mobile number, which is supposedly required to receive a confirmation code. In reality, however, this code is required to confirm a subscription to a paid service. If an infected device uses a mobile network to connect to the Internet, an Android device owner is subscribed to a premium service automatically after the phone number has been entered on the fraudulent website. Below you can see examples of the fraudulent webpages downloaded by
Additionally, among the malicious applications detected in August and distributed via Google Play, we should mention many other modifications of the
Once launched, these Trojans connect to the command and control (C&C) server and receive a command to download a website displayed to a user. Currently these specified malicious programs open official webpages of bookmakers, but the name of the Trojan application does not affect the downloaded website. In addition, at any moment, the C&C server can send a command to Trojans to download an arbitrary web resource, including fraudulent or malicious online portals from which other malicious programs can be downloaded to an Android device. This is why these Trojans pose a serious threat.
Another scammer Trojan detected in August was hidden in the “Opros” (meaning “survey”) application. It was added to the virus database as
After answering some of these questions, the user was promised to receive a reward of dozens or even hundreds of thousands of rubles. At that, the user was warned that the money would be transferred partially within a certain period of time due to a payment system limit. However, there was a “possibility” to get the full amount of money. For that, the victim needed to make an identification payment of 100–200 rubles that supposedly confirmed the winner’s identity. This is the fraudulent scheme: victims willingly give their money to cybercriminals to receive the reward, but ultimately they do not get anything. Doctor Web security analysts have notified Google about this malicious application, and now it cannot be downloaded.
To take money from mobile device owners or to get other advantages, cybercriminals use various tricks and invent new scam schemes. Doctor Web reminds users to be careful when installing applications even from Google Play. It is necessary to pay attention on the developer’s name, publication date, and reviews from other users. These simple measures can decrease the risk that the mobile device will become infected. In addition, to protect Android devices, users are also recommended to install Dr.Web anti-virus products for Android which successfully detect and remove all known and undesirable applications.
#Android, #мошенничество, #Google_Play, #троянец
August 7, 2018
Trojans capable of replacing digital wallet numbers in the clipboard in order to send money to cybercriminals instead of recipients are commonly referred to as “clippers”. Until recently, such malicious programs bothered Windows users only. Trojans for Android with similar functions are rarely seen in the wild. In August 2018, records of two modifications of a clipper Trojan
Once the Trojan is launched on an infected device, it displays a fake error message and continues to operate in hidden mode. The Trojan hides its icon from the list of applications on the Android home screen. From now on, the malware can be found in the apps management section of the system preferences only. Both modifications of
After a successful infection, the Trojan starts to track changes in the clipboard content. Once the user copies the digital wallet number to the clipboard,
The author of
The virus writer claims in his advertisements that the malware’s functions include sending a report on the program operation to the Telegram app and a quick change of wallet numbers embedded into the clipboard using the FTP protocol. However, these features are not implemented in the Trojan itself. All the specified functions are provided for cybercriminals by the command and control center.
Dr.Web for Android has successfully detected and deleted all the known modifications of the
#Android #bitcoin #cryptocurrencies
August 2, 2018
The malicious software and utilities designed to mine cryptocurrency that we will focus on in this article were downloaded on one of our “honeypots” (special servers that are used by Doctor Web specialists as decoys for cybercriminals). First such attacks on Linux servers were detected by security researcher at the beginning of May 2018. Cybercriminals connected to the server via the SSH protocol, picked out the login and password by searching for them in a dictionary (bruteforce). After successful authorization on the server, cybercriminals disabled the iptables utility that manages firewall operation. Then, cybercriminals downloaded a mining utility and its configuration file to the attacked server. To launch the utility, they edited the /etc/rc.local file contents. After that, they terminated the connection.
In June, cybercriminals changed this scheme and started using malicious software that has been added to the Dr.Web virus databases under the name
Security researchers examined the cybercriminals’ server from which this Trojan was downloaded and detected several Windows miners there.
The Windows miner version is a self-unpacking RAR archive that contains a configuration file, several VBS scripts to launch the miner, and a utility to mine cryptocurrency. Once the archive is launched, the utility is unpacked to the %SYSTEMROOT%\addins folder and registers as the SystemEsinesBreker service.
32-bit and 64-bit miner versions for Windows are detected by Dr.Web Anti-virus as Tool.BtcMine. Our users are under reliable protection from malicious activities of these programs.