Real-time threat news
March 21, 2019
Flexnet is based on the GM Bot Trojan, researched by Doctor Web malware analysts back in February 2015. The malicious app’s source code was published in 2016. Soon, the first versions of Flexnet were created thanks to everything achieved by GM Bot’s authors. Attacks against Android mobile devices using this Trojan continue happening to this day.
The cybercriminals distribute Flexnet Trojans via spam texting. In the messages, the potential victims are encouraged to follow the link and download some program or game. The Trojan disguises itself as applications such as Drug Vokrug (a dating and chatting app), GTA V, tools for Instagram and VKontakte account promotion, as well as other software.
Fig. 1. Example of software icons used by the Trojan.
When launched, the Trojan requests admin privileges, displaying a standard dialog box. If the victim grants the permissions, the Trojan falsely reports an error and removes its icon from the home screen to hide from the user so as not to be removed.
Fig. 2-3. An attempt to request admin privileges and a false error message.
Compared with modern Android bankers, Flexnet’s capabilities are quite limited. The Trojan is capable of hooking and sending text messages, as well as performing USSD requests. However, these functions are enough to steal money using various fraudulent means.
One of them is topping up the in-game accounts of popular computer games via SMS. First, the Trojan checks a user's bank card balance by sending an SMS request to the mobile banking service system. Then it hooks the response message with the account balance and transmits this information to cybercriminals. Next, the attackers request to top up the gaming account, indicating the victim’s phone number and the amount to transfer. The user then receives a text message with a verification code. The Trojan intercepts this message, transfers its contents to the cybercriminals, and finally they give the Trojan a command to send the verification code to confirm the transaction.
See below the example of money theft using this method:
Fig. 4. Top-up of Wargaming accounts. The Trojan hooks the messages from a bank’s billing system and, at the command of cybercriminals, sends a reply with a payment confirmation code to transfer RUB 2,475.
Other fraudulent schemes are implemented in a similar way. For example, the cybercriminals can pay for hosting using money from their victims’ mobile credit. To do this, the Trojan sends text messages with the necessary parameters to certain phone numbers. See below the example of such payment.
Fig. 5. Trojan texting the transfer amount (RUB 299 and RUB 1,000) and account names on the jino.ru hosting service to top up the balance of cybercriminals.
The attackers can steal money even if the victim does not have enough on the balance. They use the credit options provided by mobile carriers. As in other cases, the cybercriminals instruct the Trojan to send a text with the necessary parameters. Owners of the infected devices are oblivious to the money loss because the banker hides all suspicious messages.
Fig. 6. The fraudsters attempt to pay for the My.com service, but the amount on the victim’s mobile credit is not enough to do it. They command the Trojan to use the credit option and successfully perform the transfer. Thus, the device owner is left with a phone debt.
Additionally, the Trojan can transfer money from victims’ bank cards to cybercriminals’ accounts. However, financial institutions use specific algorithms to track suspicious transactions, so the probability of them being blocked is very high, while the above schemes allow the fraudsters to steal relatively small amounts for a long time and go unnoticed.
Another feature of Flexnet involves stealing confidential data. The cybercriminals can get ahold of accounts on social media, online stores, the websites of mobile carriers, and other online services. Knowing the victim’s mobile phone number, the cybercriminals try to log into their account. The service sends a text with a one-time verification code, which the Trojan hooks and sends to the attackers.
Fig. 7. Texts with one-time access codes of various services, hooked by the Trojan.
If the number used on the infected device is not registered with the target services, the cybercriminals can use it to register a new account. In the future, those compromised and newly created accounts can enter the black market and then be used to send spam and arrange phishing attacks.
With the assistance of the REG.ru registrar, several Flexnet command and control servers were blocked, and the cybercriminals no longer control some of the infected devices.
Doctor Web reminds owners of Android smartphones and tablets that software and games should only be installed from reliable sources such as Google Play. You are strongly advised to pay attention to the reviews of other users and use software from trusted developers.
Dr. Web for Android detects all known modifications of the Flexnet Trojan as parts of the
#Android, #banking_Trojan, #two_factor_authentication
March 11, 2019
The game Counter-Strike 1.6 was released by Valve Corporation back in 2000. Despite its rather considerable age, it still has a large fan base. The number of players using official CS 1.6 clients reaches an average of 20,000 people online, while the overall number of game servers registered on Steam exceeds 5,000. Selling, renting, and promoting game servers is now deemed an actual business, and these services can be purchased on various websites. For example, raising a server’s rank for a week costs about 200 rubles, which is not much, but a large number of buyers make this strategy a rather successful business model.
Many owners of popular game servers also raise money from players by selling various privileges such as protection against bans, access to weapons, etc. Some server owners advertise themselves independently, while others purchase server promotion services from contractors. Having paid for a service, customers often remain oblivious as to how exactly their servers are advertised. As it turned out, the developer nicknamed, “Belonard”, resorted to illegal means of promotion. His server infected the devices of players with a Trojan and used their accounts to promote other game servers.
The owner of the malicious server uses the vulnerabilities of the game client and a newly written Trojan as a technical foundation for their business. The Trojan is to infect players’ devices and download malware to secure the Trojan in the system and distribute it to devices of other players. For that, they exploit Remote Code Execution (RCE) vulnerabilities, two of which have been found in the official game client and four in the pirated one.
Once set up in the system, Trojan.Belonard replaces the list of available game servers in the game client and creates proxies on the infected computer to spread the Trojan. As a rule, proxy servers show a lower ping, so other players will see them at the top of the list. By selecting one of them, a player gets redirected to a malicious server where their computer become infected with Trojan.Belonard.
Using this pattern, the developer of the Trojan managed to create a botnet that makes up a considerable part of the CS 1.6 game servers. According to our analysts, out of some 5,000 servers available from the official Steam client, 1,951 were created by the Belonard Trojan. This is 39% of all game servers. A network of this scale allowed the Trojan’s developer to promote other servers for money, adding them to lists of available servers in infected game clients.
We previously reported a similar incident with CS 1.6, where a Trojan could infect a player’s device via a malicious server. However, a user then had to approve the download of malicious files, while this time, a Trojan attacks devices unnoticed by the users. Doctor Web have informed Valve about these and other vulnerabilities of the game, but as of now, there is no data on when the vulnerabilities will be fixed.
Infection of a client
Trojan.Belonard consists of 11 components and operates under different scenarios, depending on the game client. If the official client is used, the Trojan infects the device using an RCE vulnerability, exploited by the malicious server, and then establishes in the system. A clean pirated client is infected the same way. If a user downloads an infected client from the website of the owner of the malicious server, the Trojan’s persistence in the system is ensured after the first launch of the game.
Let us touch upon the process of infecting a client in more detail. A player launches the official Steam client and selects a game server. Upon connecting to a malicious server, it exploits an RCE vulnerability, uploading one of the malicious libraries to a victim’s device. Depending on the type of vulnerability, one of two libraries will be downloaded and executed: client.dll (Trojan.Belonard.1) or Mssv24.asi (Trojan.Belonard.5).
Once on the victim’s device, Trojan.Belonard.1 deletes any .dat files that are in the same directory with the library process file. After that, the malicious library connects to the command and control server, fuztxhus.valve-ms[.]ru:28445, and sends it an encrypted request to download the file Mp3enc.asi (Trojan.Belonard.2). The server then sends the encrypted file in response.
This is a screenshot of a decrypted data packet from the server:
Installation into the client
Infection of the official or pirated client is performed using the specific feature of the Counter-Strike client. When launched, the game automatically downloads any ASI files from the game root.
The client downloaded from the website of the Trojan’s developer is already infected with Trojan.Belonard.10 (the file name is Mssv36.asi), but the trojan installs in the system differently than in clean versions of game clients. After installation of an infected client, Trojan.Belonard.10 checks for one of its components in the user's OS. If there is none, it drops the component from its body and downloads Trojan.Belonard.5 (the file name is Mssv24.asi) into its process memory. Like many other modules, Trojan.Belonard.10 changes the date and time of creation, modification, or access to the file, so that the Trojan’s files cannot be found by sorting the contents of the folder by creation date.
After installing a new component, Trojan.Belonard.10 remains in the system and acts as a protector of the client. It filters requests, files, and commands received from other game servers and transfers data about attempted changes to the client to the Trojan developer’s server.
Trojan.Belonard.5 receives information about the running process and the paths to the module in DllMain. If the process name is not rundll32.exe, it starts a separate threads for subsequent actions. In the running thread, Trojan.Belonard.5 creates the key [HKCU\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers] '<path to the executable file process>', assigns it the value “RUNASADMIN”, and checks the module name. If it is not “Mssv24.asi”, it copies itself in the “Mssv24.asi” module, deletes the version with a different name, and launches Trojan.Belonard.3 (the file name is Mssv16.asi). If the name matches, it immediately downloads and launches the Trojan.
Embedment in a clean client is performed by Trojan.Belonard.2. After download, it checks in DllMain the name of the process in which client.dll(Trojan.Belonard.1) is loaded. If it is not rundll32.exe, it creates a thread with the key [HKCU\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers] '<path to the executable file process>’, and assigns it the value “RUNASADMIN”. After that, it collects data about the user’s device and extracts information from the DialogGamePage.res file. Then it sends the collected data to the server of the Trojan developer in an encrypted format.
Collected system data structure:
In response, the server sends the Mssv16.asi file,(Trojan.Belonard.3). Meta-information about the new module is saved in the file DialogGamePage.res, while Trojan.Belonard.5 is removed from the user’s device.
Installation in the system
The process of ensuring persistence in the system starts with Trojan.Belonard.3. Once on the device, it removes Trojan.Belonard.5 and checks the process, in the context of which it runs. If it is not rundll32.exe, it saves two other Trojans to %WINDIR%\System32\: Trojan.Belonard.7 (the file name is WinDHCP.dll) and Trojan.Belonard.6 (davapi.dll). At the same time, unlike Trojan.Belonard.5, the seventh and sixth ones are stored within the Trojan in a disassembled form. The bodies of these two Trojans are divided into blocks of 0xFFFC bytes (the last block may be smaller). When saved to disk, the Trojan assembles the blocks together to obtain working files.
Having assembled the Trojans, Trojan.Belonard.3 creates a WinDHCP service to run WinDHCP.dll (Trojan.Belonard.7) in the context of svchost.exe. Depending on language settings, the OS uses texts in Russian or English to set service parameters.
WinDHCP service parameters:
- Service name: “Windows DHCP Service” or “Служба Windows DHCP”;
- Description: “Windows Dynamic Host Configuration Protocol Service” or “Служба протокола динамической настройки узла Windows”;
- The ImagePath parameter is specified as “%SystemRoot%\System32\svchost.exe -k netsvcs”, while ServiceDll specifies the path to the Trojan library.
After that, Trojan.Belonard.3 regularly checks if the WinDHCP service is running. If it is not running, it reinstalls the service.
Trojan.Belonard.7 is WinDHCP.dll with a ServiceMain exported function, installed on the infected device by an autorun service. Its purpose is to check the “Tag” parameter in the registry of the key “HKLM\\SYSTEM\\CurrentControlSet\\Services\\WinDHCP”. If it is set to 0, Trojan.Belonard.7 loads the davapi.dll library (Trojan.Belonard.6) and calls its exported function, passing a pointer to a SERVICE_STATUS as an argument, which reflects the status of the WinDHCP service. Then it waits for 1 second and checks the “Tag” parameter once more. If the value does not match 0, Trojan.Belonard.7 loads the spwinres.dll library (Trojan.Belonard.4), which is an older version of Trojan.Belonard.6. After that, it calls spwinres.dll’s exported function, passing a pointer to a SERVICE_STATUS as an argument, which reflects the status of the WinDHCP service.
The Trojan repeats these actions every second.
WinDHCP service parameters from our customer’s report:
<RegistryKey Name="WinDHCP" Subkeys="1" Values="11">
<RegistryKey Name="Parameters" Subkeys="0" Values="1">
<RegistryValue Name="ServiceDll" Type="REG_EXPAND_SZ" SizeInBytes="68" Value="%SystemRoot%\system32\WinDHCP.dll" />
<RegistryValue Name="Type" Type="REG_DWORD" Value="32" />
<RegistryValue Name="Start" Type="REG_DWORD" Value="2" />
<RegistryValue Name="ErrorControl" Type="REG_DWORD" Value="0" />
<RegistryValue Name="ImagePath" Type="REG_EXPAND_SZ" SizeInBytes="90" Value="%SystemRoot%\System32\svchost.exe -k netsvcs" />
<RegistryValue Name="DisplayName" Type="REG_SZ" Value="Служба Windows DHCP" />
<RegistryValue Name="ObjectName" Type="REG_SZ" Value="LocalSystem" />
<RegistryValue Name="Description" Type="REG_SZ" Value="Служба протокола динамической настройки узла Windows" />
<RegistryValue Name="Tag" Type="REG_DWORD" Value="0" />
<RegistryValue Name="Data" Type="REG_BINARY" SizeInBytes="32" Value="f0dd5c3aeda155767042fa9f58ade24681af5fbd45d5df9f55a759bd65bc0b7e" />
<RegistryValue Name="Scheme" Type="REG_BINARY" SizeInBytes="16" Value="dcef62f71f8564291226d1628278239e" />
<RegistryValue Name="Info" Type="REG_BINARY" SizeInBytes="32" Value="55926164986c6020c60ad81b887c616db85f191fda743d470f392bb45975dfeb" />
Before the startup of all functions, Trojan.Belonard.6 checks the “Tag” and “Data” parameters in the WinDHCP service registry. The “Data” parameter must contain an array of bytes used to generate the AES key. If there is none, the Trojan uses the openssl library to generate 32 random bytes, which will later be used to generate the encryption key. After that, the Trojan reads the “Info” and “Scheme” parameters of the WinDHCP service. In “Scheme”, the Trojan stores 4 parameters, encrypted with AES. “Info” stores the SHA256 hash of the list of installed programs.
Having collected this data, Trojan.Belonard.6 decrypts the address of the C&C server — oihcyenw.valve-ms[.]ru — and tries to establish a connection. If it fails, the Trojan uses DGA to generate domains in the .ru zone. However, an error in the domain generation code prevents the algorithm from creating the domains intended for the Trojan developer.
After sending the encrypted information, the Trojan receives a response from the server, decrypts it and saves the transferred files to %WINDIR%\System32\. This data contains the Trojans wmcodecs.dll (Trojan.Belonard.8) and ssdp32.dll (Trojan.Belonard.9).
Apart from the above functions, Trojan.Belonard.6 also triggers the following actions at random intervals:
- Search for running Counter-Strike clients;
- Launch of Trojan.Belonard.9;
- Connecting to the developer’s server.
Periods can be changed at the command from the C&C server.
Payload and distribution
Belonard also installs in new game clients found on the device. This is performed by Trojan.Belonard.8 and Trojan.Belonard.6.
Trojan.Belonard.8 initializes a container with data about Counter-Strike 1.6 client file names and their SHA256 hashes. Trojan.Belonard.6 starts to search for installed game clients. If the Trojan finds a running client, it checks the list of files and their SHA256 hashes against the data received from Trojan.Belonard.8. If it does not match, Trojan.Belonard.8 ends the clean client process, and then drops the file hl.exe to the game directory. This file is only needed to display the following error message upon loading the game “Could not load game. Please try again at a later time.” This allows the Trojan to gain time for replacing the files of the client. When it is done, the Trojan replaces hl.exe with a working file and the game starts without an error.
The Trojan deletes the following client files:
Depending on the OS language settings, the Trojan downloads English or Russian game menu files.
Modifications to the game client contain files of Trojan.Belonard.10, as well as an advertisement of the Trojan developer’s websites. When a player starts the game, their nickname will change to the address of the website where an infected game client can be downloaded, while the game menu will show a link to the VKontakte CS 1.6 community with more than 11,500 subscribers.
The Trojan’s payload is to emulate a number of fake game servers on the user’s device. To do this, the Trojan transfers information about the game client to the developer’s server and receives encrypted parameters for creating fake servers in response.
Trojan.Belonard.9 creates proxy game servers and registers them with the Steam API. Game server ports are defined sequentially from the lowest value of game_srv_low_port specified by the server. The server also sets the value for fakesrvbatch, which determines the number of protocol emulator threads. The emulator supports basic requests to a Goldsource engine game server: A2S_INFO, A2S_PLAYER, A2A_PING, receiving the “challenge steam/non-steam client” request, as well as the “connect” command of the Counter-Strike client. After responding to the “connect” command, the Trojan tracks the first and the second packet from the client.
After exchanging packets, the Trojan sends the last packet, svc_director, with a DRC_CMD_STUFFTEXT type of message, which enables the execution of arbitrary commands of the Counter-Strike client. This issue has been known to Valve since 2014 and has not been fixed yet. Thus, attempting to connect to the game proxy server, the player will be redirected to the malicious server. After that, the Trojan developer will be able to exploit the vulnerabilities of the user's game client to install Trojan.Belonard.
It is worth mentioning that Trojan.Belonard.9 contains a bug, which allows us to detect fake game servers, created by the Trojan. Moreover, some of those servers can be identified by the name: in the “Game” column, the fake server will have a string “Counter-Strike n”, where n can be a number from 1 to 3.
Belonard uses encryption to store data in the Trojan and communicate with the server. It stores the encrypted name of the C&C server, as well as some lines of code and library names. There is one encryption algorithm with different constants for individual modules of the Trojan. The older versions of the Trojan used another algorithm to encrypt lines of code.
Decryption algorithm in Trojan.Belonard.2:
s = ''
c = ord(d)
for i in range(len(d)-1):
c = (ord(d[i+1]) + 0xe2*c - 0x2f*ord(d[i]) - 0x58) & 0xff
s += chr(c)
Decryption algorithm from the older versions:
s = 'f'
for i in range(0,len(data)-1):
s += chr((ord(s[i]) + ord(data[i]))&0xff)
Belonard uses a more sophisticated encryption to exchange data with the command and control server. Before sending the information to the server, the Trojan turns it into a different structure for each module. Collected data is encrypted by RSA using the public key stored within the malware. However, it must be mentioned that RSA is used for encryption of first 342 bytes of data only. If a module sends a packet of data larger than 342 bytes, only this much will be encrypted by RSA; the rest of the data will be encrypted by AES. The data for AES key is stored in a part, encrypted by RSA key. The data for AES key is stored in a part, encrypted by RSA key, along with the data needed for generating AES key, which is used by C&C server for encrypting its answers.
Then, after a zero byte added at the beginning of the packet, the data is sent to the C&C server. To which the server replies with an encrypted packet that contains information about the size of the payload and its SHA256 hash in its header, which is needed to be verified against the AES key.
The server may reply with
Decryption is performed with AES in a CFB mode with a block size of 128 bits and the key sent earlier to the server. The first 36 bytes of data are decrypted first, including the last DWORD value that shows the actual payload with the header. The DWORD value adds to the AES key and is hashed using SHA256. The resulting hash must match the first 32 decrypted bytes. The rest of the received data is decrypted only after this.
Doctor Web’s analysts took all necessary measures in order to neutralize the Belonard trojan and stop botnet from growing. The delegation of the domain names used by the malware developer was suspended with the help of REG.ru domain name registrar. Since redirection from a fake game server to the malicious one happened via domain name, CS 1.6 players will no longer be in danger of connecting to the malicious server and getting infected by the Belonard trojan. This interrupted work of almost all the components of the malware.
Beyond that, Dr.Web’s virus database was updated with entries to detect all the Belonard components. The modules that switched to DGA are currently monitored. After all the necessary actions were taken, the sinkhole server registered 127 infected game clients. In addition to that, our telemetry showed that Dr.Web anti-virus detected modules of the Trojan.Belonard on 1004 devices of our clients.
At the present moment, Belonard botnet can be considered neutralized; but in order to ensure the safety of Counter-Strike game clients, it is necessary to close current vulnerabilities.
Indicators of compromise
8bbc0ebc85648bafdba19369dff39dfbd88bc297 - Backdoored Counter-Strike 1.6 client
200f80df85b7c9b47809b83a4a2f2459cae0dd01 - Backdoored Counter-Strike 1.6 client
8579e4efe29cb999aaedad9122e2c10a50154afb - Backdoored Counter-Strike 1.6 client
ce9f0450dafda6c48580970b7f4e8aea23a7512a - client.dll - Trojan.Belonard.1
75ec1a47404193c1a6a0b1fb61a414b7a2269d08 - Mp3enc.asi - Trojan.Belonard.2
4bdb31d4d410fbbc56bd8dd3308e20a05a5fce45 - Mp3enc.asi - Trojan.Belonard.2
a0ea9b06f4cb548b7b2ea88713bd4316c5e89f32 - Mssv36.asi - Trojan.Belonard.10
e6f2f408c8d90cd9ed9446b65f4b74f945ead41b - FileSystem.asi - Trojan.Belonard.11
15879cfa3e5e4463ef15df477ba1717015652497 - Mssv24.asi - Trojan.Belonard.5
4b4da2c0a992d5f7884df6ea9cc0094976c1b4b3 - Mssv24.asi - Trojan.Belonard.5
6813cca586ea1c26cd7e7310985b4b570b920803 - Mssv24.asi - Trojan.Belonard.5
6b03e0dd379965ba76b1c3d2c0a97465329364f2 - Mssv16.asi - Trojan.Belonard.3
2bf76c89467cb7c1b8c0a655609c038ae99368e9 - Mssv16.asi - Trojan.Belonard.3
d37b21fe222237e57bc589542de420fbdaa45804 - Mssv16.asi - Trojan.Belonard.3
72a311bcca1611cf8f5d4d9b4650bc8fead263f1 - Mssv16.asi - Trojan.Belonard.3
73ba54f9272468fbec8b1d0920b3284a197b3915 - davapi.dll - Trojan.Belonard.6
d6f2a7f09d406b4f239efb2d9334551f16b4de16 - davapi.dll - Trojan.Belonard.6
a77d43993ba690fda5c35ebe4ea2770e749de373 - spwinres.dll - Trojan.Belonard.4
8165872f1dbbb04a2eedf7818e16d8e40c17ce5e - WinDHCP.dll - Trojan.Belonard.7
027340983694446b0312abcac72585470bf362da - WinDHCP.dll - Trojan.Belonard.7
93fe587a5a60a380d9a2d5f335d3e17a86c2c0d8 - wmcodecs.dll - Trojan.Belonard.8
89dfc713cdfd4a8cd958f5f744ca7c6af219e4a4 - wmcodecs.dll - Trojan.Belonard.8
2420d5ad17b21bedd55309b6d7ff9e30be1a2de1 - ssdp32.dll - Trojan.Belonard.9
client.dll - Trojan.Belonard.1
Mp3enc.asi - Trojan.Belonard.2
Mssv16.asi - Trojan.Belonard.3
spwinres.dll - Trojan.Belonard.4
Mssv24.asi - Trojan.Belonard.5
davapi.dll - Trojan.Belonard.6
WinDHCP.dll - Trojan.Belonard.7
wmcodecs.dll - Trojan.Belonard.8
ssdp32.dll - Trojan.Belonard.9
Mssv36.asi - Trojan.Belonard.10
FileSystem.asi - Trojan.Belonard.11
March 11, 2019
Trojan.Belonard gets installed on a device upon connecting to a malicious game server. The Trojan exploits vulnerabilities of the game client and is able to infect both the Steam versions and the pirated builds of Counter-Strike 1.6 (CS 1.6). Once on the victim’s computer, the Trojan replaces the files of the client and creates proxies to infect other users. Such a scheme usually serves to create a network of infected computers, which can be used to promote game servers for money.
Despite the game’s long history, the number of players using official CS 1.6 clients is estimated at 20,000 people online, while the total number of game servers registered on Steam exceeds 5,000. Selling, renting, and promoting game servers is now deemed actual business, and these services can be purchased with various websites. Server owners often pay for this, oblivious that their server can be promoted by malware. These illegal methods were used by the developer nicknamed “Belonard”; his server infected other players with a Trojan to promote other servers via their accounts.
At the moment, the number of malicious CS 1.6 servers created by the Belonard Trojan hits 39% of all official servers registered on Steam. The CS community has been facing this issue for a long time; but, unfortunately, up until now, anti-viruses have only been able to identify parts of the threat, but not the Belonard Trojan in its entirety. Now all modules of the Belonard Trojan are successfully detected by Dr.Web’s products and do not pose a threat to our customers. Learn more about the Belonard Trojan and its operation in our study.
February 19, 2019
During February, malware analysts revealed 39 new modifications of the
The main function of
Since Trojans display banners almost continuously, cybercriminals quickly cover their expenses for promoting their software via popular online services.
To stay on smartphones and tablets for as long as possible, the
Almost all malware of the
Android users installed many of these malicious applications after viewing ads on Instagram and YouTube, where the cybercriminals promised functional and powerful photo and video processing tools. At first glance, the Trojans match the description and do not arouse suspicion among potential victims. However, apart from one or several basic functions, they contain nothing of what was declared. Here is what users complain about in the reviews:
An active promotional campaign set up by the cybercriminals attracts a large number of mobile device users and increases the number of downloads. Some of these Trojans even get featured in Google Play sections promoting new products and applications gaining popularity, which also increases the number of users that download the malware.
Information about all Trojans that our experts have found as of the publication date of this material is in the summary spreadsheet. However, since cybercriminals constantly create new
|Application package name||Number of downloads|
|com.funshionstyle.ledcaller||1 000 000+|
|com.wind.pics.blur.editor||1 000 000+|
|com.photo.cut.out.studio||1 000 000+|
|com.mobwontools.pixel.blur.cam||1 000 000+|
|com.selfie.beauty.candy.camera.pro||1 000 000+|
|com.cam.air.crush||1 000 000+|
|com.fancy.photo.blur.editor||1 000 000+|
Users are advised to perform a full scan of mobile devices with Dr.Web for Android and remove the Trojans that are detected.
Users of smartphones and tablets should be wary of ads on the Internet and avoid downloading all advertised software, even if it is distributed via Google Play. Only install applications from trusted developers and pay attention to the reviews from other users.
#Android, #fraud, #Google_Play, #Trojan
January 22, 2019
In Autumn 2018 cryptocurrency mining enthusiasts began noticing messages suggesting they install a tool for monitoring cryptocurrency prices. The app developers promised a certified, trusted and free widget. At first glance, this program doesn’t raise any suspicions. It has a valid digital signature and works exactly as promised. But behind this seemingly flawless functionality, there’s a hidden catch: it will steal your private data.
Upon installation, the program compiles and runs malicious code downloaded from the developer’s personal Github account. Once completed, it uploads Trojan.PWS.Stealer.24943, also known among malware developers as AZORult, to a victim’s device. This Trojan allows cybercriminals to steal a vast amount of private data, including passwords from cryptocurrency wallets.
In most cases encountered by Doctor Web researchers, this malware was distributed in English on forums dedicated to cryptocurrency mining. It was seen less often on Polish and Russian forums dedicated to the same subject.
At present, the Trojan is still available on several file exchanges, as well as on the Github account mentioned earlier. Dr.Web products successfully detect and remove this type of malware. That said, our cybersecurity researchers strongly advise you to timely renew your anti-virus subscription and install all the latest updates.
#cryptocurrency #mining #Trojan
December 6, 2018
Cybercriminals were distributing
When the user permits the Trojan to access accessibility features, it closes the window, starts the malicious service, and uses it to continue operating in the background.
Moreover, the malware uses the special features for self-defense, tracking a number of antiviruses and utilities. When they launch, it tries to close their windows by pressing the “back" button 4 times.
When the Banco Itaú is launched, the Trojan uses the accessibility feature to read the contents of its window and transfer information on the balance of the user's bank account to the attackers. It then navigates to account management in the application, where it copies and sends the iToken key, a security code used to verify electronic transactions, to the virus writers.
Upon startup of Bradesco, the Trojan reads the victim’s account information and tries to automatically login to it by entering the PIN code received from the command and control server.
Upon receiving a command to launch an SMS application, the Trojan opens it, reads and saves the text of the available messages and sends them to the server. It also recognizes the messages from CaixaBank S.A. and transmits them in a separate request.
Cybercriminals also use
See an example of such phishing pages below:
Confidential information, entered by the victim, is transmitted to the attackers, and then the Trojan closes the fraudulent window and re-launches the compromised application in order not to raise suspicion from the user for collapsing and closing the app.
Doctor Web recommends you install Android software with extra care, even if you obtain them from Google Play. Attackers can fake well-known software, as well as create seemingly harmless applications. To reduce the risk of installing a Trojan, you should pay attention to the name of the developer, the date when the app appeared on Google Play, the number of downloads, and reviews from other users. In addition, please use an antivirus.
All known modifications to the
#Android, #Google_Play, #banking_Trojan, #phishing
November 23, 2018
The Trojan targets users of DynDNS software, which allows a subdomain to be bound to a computer that has no static IP address. The virus writer created a dnsip.ru webpage from which this program can allegedly be downloaded for free. The virus writer also owns the dns-free.com domain, and it automatically redirects visitors to dnsip.ru.
The website does indeed make an archive available for download. The archive contains the executable file setup.exe, which in reality is not a DynDNS installer, but a downloader. It stores the name of the file downloaded from the Internet; in our sample this was Setup100.arj.
Despite the telltale extension, Setup100.arj is not an ARJ archive, but an executable MZPE file that has had three of its values modified so that it is not recognized as MZPE by automated analysis tools and other applications.
First, it uses PowerShell to disable Windows Defender, and, for greater reliability, it makes changes to the registry keys running this program.
Then the dropper saves the files instsrv.exe, srvany.exe, dnshost.exe, and yandexservice.exe to the System32 folder. Instsrv.exe, srvany.exe, and dnshost.exe are Microsoft utilities for creating user-defined services in Windows, while yandexservice.exe is the
The malware analysts also investigated another component of the Trojan: the executable file dubbed dnsservice.exe, which is also installed on the infected computer as a Windows service named DNS Service. The specific debug lines that the virus writer forgot to delete in his malware programs are a giveaway:
C:\Boris\Программы\BDown\Project1.vbp C:\Boris\Программы\BarmashSetService\Project1.vbp C:\Boris\Программы\Barmash.en.new\Project1.vbp C:\Boris\Программы\Barmash_en_Restarter3\Project1.vbp
This component is distributed as the file dnsservice.arj, which is disguised as an archive from barmash.ru.
All known modifications of
According to data gathered by Doctor Web, as of now, about 1,400 users have been affected by this Trojan, with the first infections occurring in 2013. The complete list of indicators of compromise can be found here.
November 20, 2018
The Trojan, added to the Dr.Web virus databases as
Once successfully installed, the malicious script downloads a version of the
Once installed in the system,
After that, the malware tries to find running anti-virus software services with the names safedog, aegis, yunsuo, clamd, avast, avgd, cmdavd, cmdmgd, drweb-configd, drweb-spider-kmod, esets, and xmirrord. If it detects them, the Trojan does not simply end the antivirus’s process, but also uses package managers to remove its files as well as the directory in which the product was installed.
After completing all these steps,
The full list of indicators of compromise can be found here: https://github.com/DoctorWebLtd/malware-iocs/tree/master/Linux.BtcMine.174.
#Linux #cryptocurrency #mining #Trojan
November 16, 2018
The Trojan, dubbed
Once launched by a user, the Trojan requests permission to manage and make phone calls and send and receive SMS. Android devices below version 6.0 automatically grant these permissions during the Trojan’s installation. See the below example of a request:
The phone number entered by the victim is transferred to the cloud database. The user is then shown a second dialog telling them to wait for “registration” confirmation. The dialog has a “Submit” button. When pressed, it launches a game built into the
If the Trojan was successful when it uploaded the information about the mobile device to the cloud, it hides its icon from the home screen and then automatically runs in the background whenever the infected smartphone or tablet is on.
All known modifications of
October 22, 2018
Information about the detected malicious applications is in the table below:
|App name||Software package name||Version|
|Extreme SUV 4x4 Driving Simulator||com.quoac.extreme.suv.driving||0.3|
|Moto Extreme Racer 3D||com.quoac.moto.extreme.racing||0.3|
|SUV City Traffic Racer||com.suv.traffic.racer||0.3|
|Sports Car Racing||com.quoac.sports.car.racing||0.3|
|Crime Traffic Racer||com.quoac.crime.traffic.game||0.3|
|Police Car Traffic||com.quoac.police.car.traffic||0.3|
|Tank Traffic Racer||com.quoac.tank.traffic.racer||0.3|
|Extreme Car Driving Simulator||com.quoac.extreme.car.driving.simulator||0.3|
|Russian Cars Retro||com.quoac.russian.car.retro||0.3|
|Motocross Beach Jumping - Bike Stund Racing||com.quoac.motocross.beach.jumping||0.4|
|Luxury Supercar Simulator||com.quoac.luxury.supercar.simulator||0.3|
|Crime Crazy Security||com.quoac.crime.crazy.security||0.4|
|Furious Extreme Drift||com.quoac.furious.extreme.drift||0.3|
|Drift Car Driving Simulator||com.quoac.car.driving.simulator||0.5|
When granted the necessary privileges, the Trojan connects to the remote server and downloads an APK file in the background. It then offers the device user to install it. If the user refuses, the malware tries to perform the installation again, showing the same dialog every 20 seconds until the user agrees to install the application. The file the Trojan downloads and installs is the malware.
All known modifications of the Downloader Trojan
Your Android needs protection!
- First Russian anti-virus for Android
- Over 135 million downloads—just from Google Play!
- Available free of charge for users who purchase Dr.Web home products
October 18, 2018
The Trojan, dubbed
When the malware was hidden from the user, it downloaded an APK file from a remote server in the background and saved it to the memory card. It then kept prompting the user to install the downloaded application until the user agreed. See the sample dialog below shown by
Doctor Web experts notified Google about the dangerous software found on Google Play and it has been promptly removed from the list.
Dr.Web for Android successfully detects and removes all the indicated Trojans from mobile devices, so they do not pose any threat to our users.
Your Android needs protection!
- First Russian anti-virus for Android
- Over 135 million downloads—just from Google Play!
- Available free of charge for users who purchase Dr.Web home products
October 18, 2018
The online scammer, nicknamed Investimer, Hyipblock, or Mmpower, uses a wide range of commercial Trojans that are currently prevalent in the underground market, including the stealers Eredel, AZORult, Kpot, Kratos, N0F1L3, ACRUX, Predator The Thief, Arkei, and Pony. The attacker's arsenal also boasts the TeamViewer-based Spy-Agent backdoor, the DarkVNC and HVNC backdoors that access the affected computer via the VNC protocol, as well as a backdoor based on RMS. The cybercriminal widely applies the Smoke Loader and has previously used a Loader by Danij, as well as a miner Trojan with a clipper plug-in that changes the clipboard contents. Investimer hosts their controlling servers on websites such as jino.ru, marosnet.ru, and hostlife.net. Most of them are Cloudflare protected and hide their actual IP address.
Investimer is mainly focused on cryptocurrency fraud, primarily with Dogecoin. For this, they have created many phishing websites that replicate actual online resources. Among them is a fake cryptocurrency exchange that allegedly requires special client software, which in fact is the Spy-Agent Trojan that downloads to the victim’s computer.
Another “startup” of the scammer is the non-existent pool of Dogecoin miners for rent at competitive prices. To work with the pool, the potential victim downloads an alleged client application in a password-protected archive. The password prevents antivirus software from scanning the archive and removing it at the downloading stage. Clearly, the archive contains a stealer Trojan.
Another fraudulent project by Investimer involves the Etherium cryptocurrency. The scammer offers potential victims rewards for browsing websites if they install a malicious program under the guise of a special app. The Trojan starts downloading automatically upon visiting the website. The scammer even put an effort into writing a few fake reviews about the service.
Another way Investimer practices online fraud is through online lotteries where the prize is in Dogecoins. Of course, the lotteries are arranged in such a way that it is impossible for third-party participants to win; only the organizer can make money. Nevertheless, as we write, more than 5,800 users have already registered to Investimer’s lottery.
Apart from online lotteries, Investimer offers rewards in Dogecoins for viewing web pages with ads. This project has over 11,000 registered users.
Naturally, when a victim tries to download a browser plug-in to make money while surfing the Internet from a “partner” website, they install a backdoor on their computer. This in turn, usually installs a Trojan stealer on the infected device.
Investimer is also not above traditional phishing. They have created a website that offers a reward for bringing new users to the Etherium payment system, but actually collects the information users enter during registration and transfers it to the attacker.
Apart from the above, Investimer tried to copy the official cryptobrowser.site. The original project creators have developed a new web browser that runs a cryptocurrency miner in the background while the user browses web pages. The fake website created by Investimer is not of a particularly high quality: some images are not displayed, the license agreement contains the email address of the real developers, and the Trojan posing as the browser is downloaded from another domain. The picture below shows Investimer’s fake website (left) and the original website (right).
Investimer reportedly has been involved in other online scams as well, including online games based on the financial pyramid principle. The attacker uses the information collected by Trojan stealers primarily to steal cryptocurrency and money from the victim’s wallets in various e-payment systems. It is worth noting that Investimer’s control panel for access to hacked computers contains obscene comments about each victim, which we cannot quote for censorship reasons.
The general scheme the cybercriminal uses to deceive Internet users is as follows: the potential victim is, by various means, lured to a fraudulent website that requires the user to download a certain client program to use it. However, instead of a client, the victim downloads a Trojan that installs other malware to the computer when the attacker signals it. Such programs (mainly stealer Trojans) steal confidential data from an infected device, and the scammer later uses it to steal cryptocurrency and money from the victim’s accounts through payment systems.
Doctor Web analysts believe the total number of users affected by Investimer’s illegal activities exceeds 10,000. Our experts estimate the damage to the victims is at over $23,000, in addition to more than 182,000 Dogecoins, which equals about $900 at the current rate.
Addresses of all websites created by Investimer are in the Dr.Web SpIDer Gate databases and all malware the scammer uses has been successfully detected and removed by our Antivirus.
The full list of indicators of compromise is located at https://github.com/DoctorWebLtd/malware-iocs/tree/master/investimer.
#criminal #cryptocurrencies #mining #fraud
October 8, 2018
The emails contain the logo and corporate identity of the company Alibaba Group, which owns AliExpress. Email recipients are addressed by name, the senders likely believing that this is bound to make the emails look more legitimate. Doctor Web analysts believe that the fraudsters could have gotten the actual AliExpress customer information from a purchased or stolen database of one of the many cashback services. The emails claim that the user had previously made purchases and left reviews on AliExpress, which is why they are being granted access to a special online store offering numerous discounts and gifts.
The link in the email leads to a website designed to look like an online store, but when trying to purchase any of the goods, the user is redirected to other ecommerce sites, many of which have previously been reported for fraud (e.g., for sending goods that do not match the description, reselling products at inflated prices, or selling low-quality counterfeit copies of popular goods) and are listed in the Dr.Web Parental Control and Office Control databases.
A quick investigation by Doctor Web also showed that the street address indicated on the website of a Moscow online store corresponds to a school building, and the tax number specified belongs to a non-existent company. Moreover, the website provides no information on the terms of delivery, and the contact email address is registered with the free email service provider mail.ru.
Doctor Web experts advise users to take these simple steps before purchasing goods from unfamiliar websites:
- Cross-check the address indicated on the About Us page with an online map, Panoramic Street Images by Yandex, or Google Street View. It is quite possible that instead of an office center or a shopping mall, you will see a school, a parking lot, or a garbage dump.
- Check the tax number on the website to see if the company exists and whether its name matches the owner of the online store. For Russian companies, you can do this online for free, using the page of the Federal Tax Service.
- Make sure that the website describes in detail the payment methods and delivery terms, as well as delivery options and rates.
- Carefully review the contacts on the website. A legitimate company is unlikely to use free email accounts.
#fraud #fraudulent_email #nonrecommended_websites
September 25, 2018
The Trojan, added to the Dr.Web virus databases under the name
The malicious program attempts to determine whether it is running in a virtual environment. When a virtual machine is detected, the program terminates. The banker also monitors the Windows local language settings. If the system language is not Portuguese, the Trojan does not perform any actions.
The loader module
When users open the Internet banking sites of various Brazilian financial institutions in the browser window,
This scheme of replacing the content of original, user-viewed web pages with the "bank-client" systems is used by many banking Trojans. Often they threaten credit institutions’ clients not only in Brazil, but around the world. Over the past month, Doctor Web specialists have identified over 340 unique
#banker #banking_Trojan #online-banking #Trojan
August 29, 2018
Cybercriminals use one of the malicious programs called
This Trojan opens one of the phishing websites where a user is invited to download a well-known program or to receive a reward. A potential victim is asked to provide their mobile number, which is supposedly required to receive a confirmation code. In reality, however, this code is required to confirm a subscription to a paid service. If an infected device uses a mobile network to connect to the Internet, an Android device owner is subscribed to a premium service automatically after the phone number has been entered on the fraudulent website. Below you can see examples of the fraudulent webpages downloaded by
Additionally, among the malicious applications detected in August and distributed via Google Play, we should mention many other modifications of the
Once launched, these Trojans connect to the command and control (C&C) server and receive a command to download a website displayed to a user. Currently these specified malicious programs open official webpages of bookmakers, but the name of the Trojan application does not affect the downloaded website. In addition, at any moment, the C&C server can send a command to Trojans to download an arbitrary web resource, including fraudulent or malicious online portals from which other malicious programs can be downloaded to an Android device. This is why these Trojans pose a serious threat.
Another scammer Trojan detected in August was hidden in the “Opros” (meaning “survey”) application. It was added to the virus database as
After answering some of these questions, the user was promised to receive a reward of dozens or even hundreds of thousands of rubles. At that, the user was warned that the money would be transferred partially within a certain period of time due to a payment system limit. However, there was a “possibility” to get the full amount of money. For that, the victim needed to make an identification payment of 100–200 rubles that supposedly confirmed the winner’s identity. This is the fraudulent scheme: victims willingly give their money to cybercriminals to receive the reward, but ultimately they do not get anything. Doctor Web security analysts have notified Google about this malicious application, and now it cannot be downloaded.
To take money from mobile device owners or to get other advantages, cybercriminals use various tricks and invent new scam schemes. Doctor Web reminds users to be careful when installing applications even from Google Play. It is necessary to pay attention on the developer’s name, publication date, and reviews from other users. These simple measures can decrease the risk that the mobile device will become infected. In addition, to protect Android devices, users are also recommended to install Dr.Web anti-virus products for Android which successfully detect and remove all known and undesirable applications.
#Android, #мошенничество, #Google_Play, #троянец
August 7, 2018
Trojans capable of replacing digital wallet numbers in the clipboard in order to send money to cybercriminals instead of recipients are commonly referred to as “clippers”. Until recently, such malicious programs bothered Windows users only. Trojans for Android with similar functions are rarely seen in the wild. In August 2018, records of two modifications of a clipper Trojan
Once the Trojan is launched on an infected device, it displays a fake error message and continues to operate in hidden mode. The Trojan hides its icon from the list of applications on the Android home screen. From now on, the malware can be found in the apps management section of the system preferences only. Both modifications of
After a successful infection, the Trojan starts to track changes in the clipboard content. Once the user copies the digital wallet number to the clipboard,
The author of
The virus writer claims in his advertisements that the malware’s functions include sending a report on the program operation to the Telegram app and a quick change of wallet numbers embedded into the clipboard using the FTP protocol. However, these features are not implemented in the Trojan itself. All the specified functions are provided for cybercriminals by the command and control center.
Dr.Web for Android has successfully detected and deleted all the known modifications of the
#Android #bitcoin #cryptocurrencies
August 2, 2018
The malicious software and utilities designed to mine cryptocurrency that we will focus on in this article were downloaded on one of our “honeypots” (special servers that are used by Doctor Web specialists as decoys for cybercriminals). First such attacks on Linux servers were detected by security researcher at the beginning of May 2018. Cybercriminals connected to the server via the SSH protocol, picked out the login and password by searching for them in a dictionary (bruteforce). After successful authorization on the server, cybercriminals disabled the iptables utility that manages firewall operation. Then, cybercriminals downloaded a mining utility and its configuration file to the attacked server. To launch the utility, they edited the /etc/rc.local file contents. After that, they terminated the connection.
In June, cybercriminals changed this scheme and started using malicious software that has been added to the Dr.Web virus databases under the name
Security researchers examined the cybercriminals’ server from which this Trojan was downloaded and detected several Windows miners there.
The Windows miner version is a self-unpacking RAR archive that contains a configuration file, several VBS scripts to launch the miner, and a utility to mine cryptocurrency. Once the archive is launched, the utility is unpacked to the %SYSTEMROOT%\addins folder and registers as the SystemEsinesBreker service.
32-bit and 64-bit miner versions for Windows are detected by Dr.Web Anti-virus as Tool.BtcMine. Our users are under reliable protection from malicious activities of these programs.
July 9, 2018
One of our users informed our technical support that Dr.Web Anti-virus constantly detected and deleted an application for mining cryptocurrency. An examination of the Anti-virus logs showed that the miner hid in the temporary folder on the infected computer. In addition, the application attempted to connect with an IP address corresponding to the website of the Astrum Soft company, the manufacturer of “Kompiuternyi Zal”. This software is designed to automate computer clubs and cybercafes.
Officially, a function for mining cryptocurrency exists in the application. Users can enable it when computers are idle.
Nevertheless, further research showed that a miner which bothered the user and not the “Kompiuternyi Zal” application had been hidden. The miner was added to the Dr.Web virus databases as
The “Kompiuternyi Zal” application periodically sends a request to the manufacturer server. This request contains an application version number and information about the system. The server can reply with a command to download and launch an executable file that is supposed to have an update feature for the program. However, the examined sample contains the file with malicious functionality. This malicious software closes the svchostm.exe and svcnost.exe processes, saves the mining Trojan to the computer, and modifies the Windows system registry key so the malicious software can launch automatically. Data on the wallet, where the mined cryptocurrency is transferred, is hardcoded in the Trojan’s body. After a user uninstalls the malicious software, the update mechanism can download and launch it again.
By July 9, security researchers have counted over 2700 computers infected by
May 30, 2018
“Faker” uses several methods to acquire his illegal income. The main scheme he developed is called MaaS (Malware As a Service). It implements a system for leasing out malicious programs on a subscription basis. Clients of “Faker” who want to profit from spreading Trojans are not required to provide anything except money and, in some cases, a domain: the virus writer provides them with the Trojan, access to the administrative panel, and technical support. Doctor Web’s analysts estimate that this turn-key solution has brought millions to its developer, and how much the clients have earned using this scheme is anybody’s guess considering that the money spent on a month’s subscription could be recouped in a day. All the malicious programs created by “Faker” pose a threat to users of the popular Steam gaming service.
Steam, a platform developed by Valve Corporation, is designed to digitally distribute computer games and programs. A registered Steam user gains access to a dashboard with information on all the games and applications they’ve purchased. In addition, they can make purchases in the Steam shop, buying various digital content and also selling and exchanging collectibles. These collectibles have a key value in various multiplayer games. Weapons, ammunition, and different items allow the gamer’s visual appearance and the visual representation of his belongings in a game to be changed. Collectibles can be exchanged on special websites and also bought and sold for real money. This was the base on that “Faker” built his criminal business.
One of his methods for making money involved so-called “roulettes”. That’s what network players call the peculiar auctions in which several participants simultaneously list various collectibles. The possibility of winning depends on the amount bid by the participant, and the winner gets all the listed items. What’s fraudulent is that the real player is opposed by special bots that are guaranteed to win the bid. Sometimes a potential victim is offered the opportunity to administer one of these games and is even allowed to win several times before listing some expensive collectible that is sure to be lost to cybercriminals.
The “roulettes” administrative panel allows for the flexible configuration of the auction website’s visual appearance and its displayed contents; it permits names and text in the chat located on the website to be changed, bids to be controlled, and the list of collectibles received from other players to be viewed. It can also be used to fully control the “roulette”.
In addition, “Faker” lends his malicious programs to other cybercriminals. One of them was dubbed Trojan.PWS.Steam.13604; it was designed to steal Steam user account data. Under the terms of a monthly subscription, the creator of the Trojan provides cybercriminals with a malicious file assembled specially for them; he also gives them dashboard access.
The Trojan is spread using several methods. One of them uses social engineering techniques: a Steam user receives a message that several community members need a new player for a team. After one collective match, for the purpose of making further collaborations convenient, the potential victim is prompted to download and install a client for voice calls. Cybercriminals send the victim a link to a fake website for this application. When the victim clicks on the link, a Trojan disguised as a program is downloaded.
If a potential victim already uses TeamSpeak, they receive the server address used by a team of players for communication. After connecting to this server, the victim sees a window suggesting that they update one of TeamSpeak’s components and an audio subsystem driver. Disguised as this update, the malicious program is downloaded to the computer.
When launched, the Trojan unloads the Steam process (if this process is not its own) and then determines the path to the Steam directory, the application language, and the user name. If one of the Steam system files is available, Trojan.PWS.Steam.13604 extracts from it pairs consisting of steamid64 identifiers and account names. Then the Trojan sends the information collected on the infected computer to the command and control server. This includes the operation system version, the user name and the machine name, the OS language, the path to Steam, the language version of this application, etc.
When the indicated actions are performed, the malicious program removes the original Steam file and copies itself to its location. To prevent the user from updating Steam and getting technical support, the Trojan changes the contents of the hosts file by blocking access to the websites steampowered.com, support.steampowered.com, store.steampowered.com, help.steampowered.com, forums.steampowered.com, virustotal.com, etc. Then Trojan.PWS.Steam.13604 displays a fake Steam authorization window. If the victim enters their login credentials, the Trojan tries to use them to authorize on Steam. If this attempt is successful and Steam Guard—a two-factor authentication system for protecting user accounts—is enabled on the computer, the Trojan displays a fake window for inputting the authorization code. All this information is sent to the cybercriminals’ server.
For all of his clients, the virus writer uses the same command and control server. The obtained data forms a file that cybercriminals use to access the victim’s Steam account. The administrative panel interface of Trojan.PWS.Steam.13604 is shown on the following images:
In addition to Trojan.PWS.Steam.13604, “Faker” leases out one more Trojan he has created. It was dubbed Trojan.PWS.Steam.15278. This malicious program is distributed in a similar way and is designed to steal gaming inventory from Steam users. Cybercriminals can sell the virtual items they’ve stolen to other gamers. The virus writer also advertises the leasing service for this malicious program on special forums.
To operate, Trojan.PWS.Steam.15278 uses Fiddler, a free tool for analysing traffic when it’s transferred via the HTTP protocol. it operates on the principle of a proxy server. Fiddler installs a root certificate in the system, which allows Trojan.PWS.Steam.15278 to intercept encrypted HTTPS traffic. The Trojan intercepts server responses and changes their data.
If someone who is using the infected machine exchanges items with other gamers on specially designed markets, such as opskins.com, igxe.cn, bitskins.com, g2a.com, csgo.tm, market.csgo.com, market.dota2.net and tf2.tm, the Trojan changes the recipient of the collectible the moment the exchange deal is made. This happens in the following way. When the Trojan’s victim lists gaming items for sale or exchange, the malicious program connects to their account and at regular time intervals checks the incoming offers. If the user of the infected computer who listed any item for exchange receives a request for a deal, the Trojan cancels this offer, determines the user name, their user icon and the text message from the original request, and sends the victim absolutely the same request but on behalf of the cybercriminals’ account. Physically, this swap is implemented using web injections: Trojan.PWS.Steam.15278 injects the malicious code it receives from the command and control server into webpages. It is notable that “Faker” is the author of other Trojans that operate in a similar fashion and are implemented as an extension for Google Chrome.
When exchanging items via the official website steamcommunity.com, Trojan.PWS.Steam.15278 allows cybercriminals to replace the display of the user’s collectibles. The Trojan modifies the contents of the steamcommunity.com service’s webpages in such way that a potential victim sees an offer for a very expensive and rare collectible. If the user approves the deal, they will get some trivial and cheap inventory item instead of the item they expect. It is almost impossible to dispute the unfair exchange afterwards because from the server’s point of view, the user made this exchange willingly and of their own accord. For example, on the steamcommunity.com service’s page, the user of the infected computer will see that another user is supposedly offering to exchange a collectible called “PLAYERUNKNOWN's Bandana” which is worth $265.31. In reality, after the deal is sealed, the user will get “Combat Pants (White)”, and the price of this item will be just $0.03.
In general, the dashboard of Trojan.PWS.Steam.15278 is similar to the administrative panel of Trojan.PWS.Steam.13604; however, the updated version has an additional section that allows cybercriminals to control the substitution of collectibles when exchange deals are made. They can configure images and descriptions of collectibles that are to be substituted for real ones and displayed to the victim. Afterwards, the cybercriminals can sell the illegally obtained collectibles for real money on network trading platforms.
Dr.Web Anti-virus successfully detects and removes all known modifications of Trojan.PWS.Steam.13604 and Trojan.PWS.Steam.15278; therefore, these malicious programs pose no threat to our users. Doctor Web specialists notified Valve Corporation about the compromised user accounts and also about the accounts used for the fraudulent scheme described above.
#malicious_software #gamer #games #Trojan
May 14, 2018
Doctor Web specialists researched several new modifications of
All researched modifications of the spyware were written in Python and transformed into an executable file using py2exe. One of new versions of the malicious program, which was dubbed
Another modification of this spying Trojan was named
The third spyware modification was named
To distribute this stealer’s modification, cybercriminals who bought it from the virus writer came up with one more creative method. Cybercriminals got in touch with the administrators of themed Telegram channels and invited them to write a post on a new program allegedly developed by them and suggested testing it. According to the cybercriminals, this program allowed them to simultaneously connect to several Telegram accounts on one computer. When in reality a potential victim was invited to download the spying Trojan disguised as a useful application.
In the code of these spying Trojans, virus analysts found information that allowed them to identify the author of the malicious programs. The virus writer is disguised under the name of “Yenot Pogromist”. He not only develops Trojans, but also sells them on a popular website.
The creator of spyware also has a YouTube channel dedicated to developing malicious software and has his own GitHub page where he posts the source code of his malicious programs.
Doctor Web specialists analyzed the data of open sources and identified several of the Trojan developer’s e-mails and mobile number connected to the Telegram channel used for illegal actions. In addition, they were able to find a batch of domains used by the virus writer to spread malicious programs and to identify his city of residence. The scheme below shows a portion of the identified connection of “Yenot Pogromist” with the technical sources he uses.
The login credentials of cloud storages, where archives with stolen files go, are wired into the Trojans’ bodies. It allows them to easily identify all clients of “Yenot Pogromist” who bought malicious software from him. They are primarily citizens of Russia and Ukraine. Some of them used e-mail addresses that allow them to easily discover their pages on social networks and their true identities. For example, Doctor Web specialists detected that many clients of “Yenot Pogromist” also use other spyware sold on underground forums. It is also worth mentioning that some buyers turned out to be so clever that they launched the spyware on their own computers, perhaps they did it in attempts to assess its operation. As a result, their personal files were loaded onto the cloud storages. Any Trojan researcher can easily retrieve their access data from the Trojan’s body.
Doctor Web specialists would like to remind its clients that using and distributing malicious programs is a crime punishable under Criminal Code 273 of the Russian Federation with possible imprisonment up to four years. Buyers and users of the spying Trojans are subject to Criminal Code 272 of the Russian Federation “Illegal access to computer information”.
April 26, 2018
After the first launch of the application, which contains the built-in Trojan,
At the launch, the malicious program downloads one of the Trojan modules (added to Dr.Web virus database as
Doctor Web virus analysts have detected several applications in the Google Play catalog , which contained this Trojan as built-in. All of them were various games, which total amount of downloads has exceeded 6 500 000. Doctor Web specialists notified Google Corporation about the programs found, and at the time of the publication of this article some of the applications were successfully deleted from Google catalog. At the same time, some applications have been updated clear of this malicious module.
- Beauty Salon - Dress Up Game, version 5.0.8;
- Fashion Story - Dress Up Game, version 5.0.0;
- Princess Salon - Dress Up Sophie, version 5.0.1;
- Horror game - Scary movie quest, version 1.9;
- Escape from the terrible dead, version 1.9.15;
- Home Rat simulator, version 2.0.5;
- Street Fashion Girls - Dress Up Game, version 6.07;
- Unicorn Coloring Book, version 134.
In addition, Doctor Web specialists have further analyzed and identified the Trojan in several other applications that had already been removed from the catalog:
- Subwater Subnautica, version 1.7;
- Quiet, Death!, version 1.1;
- Simulator Survival, version 0.7;
- Five Nigts Survive at Freddy Pizzeria Simulator, version 12;
- Hello Evil Neighbor 3D, version 2.24;
- The Spire for Slay, version 1.0;
- Jumping Beasts of Gang, version 1.9;
- Deep Survival, vesion 1.12;
- Lost in the Forest, version 1.7;
- Happy Neighbor Wheels, version 1.41;
- Subwater Survival Simulator, version 1.15;
- Animal Beasts, version 1.20.
An example of software with the built-in
To reduce the possibility of mobile devices being infected by malicious programs, Doctor Web specialists recommend installing applications only from known and trusted developers. Antivirus products like Dr.Web for Android detect and successfully remove all known modifications of the Trojans described in this article, so they do not represent danger for our users.
#Android, #Google_Play, #ad_software, #Trojan
Your Android needs protection!
- First Russian anti-virus for Android
- Over 135 million downloads—just from Google Play!
- Available free of charge for users who purchase Dr.Web home products
April 16, 2018
The new encryption Trojan was dubbed
The size of the ransom that cybercriminals demand differs from 0.007305 to 0.04 Btc. Once the HOW TO BUY BITCOIN button is clicked, the Trojan displays a window with instructions on how to buy the Bitcoin cryptocurrency:
In spite of cybercriminals’ claims that victims can restore the encrypted files, it is impossible in most cases due to the code error.
The encoder does not pose any threat to Dr.Web users. The preventive protection of our anti-virus products successfully detects and removes the Trojan. At the same time, Doctor Web specialists encourage users to make timely backups of their most valuable data.
April 16, 2018
Doctor Web specialists have informed Google about the
The pages of malicious applications found on Google Play are displayed below:
When attempting to download the file, the user is asked to enter his phone number for some authorization or download confirmation. Upon entering the phone number, the user receives a confirmation code that must be entered on the website to complete the “download”. The victim is then subscribed to a paid service rather than getting the intended program.
If the infected device is connected to the Internet via a mobile connection, the website loaded by the Trojan makes several redirections.
If the Trojan does not get the task, it downloads several pictures from the Internet and displays them on the screen.
Subscription to unwanted services is one of the most popular and well known source of illegal income for cybercriminals. However, subscribing to such premium services via Wap-Click is especially dangerous because the user is not informed about new subscriptions in any way. Dishonest content providers often use this scheme to trick people into subscribing.
To save money, smartphone and tablet owners should be careful when browsing websites and not click any suspicious links or buttons. Users should also install software distributed only by known and reliable developers and use anti-virus.
Dr.Web for Android has successfully detected all known modifications of
April 5, 2018
Dr. Web has known of
The following figures show the administration panel sections of
This banking Trojan is distributed by fraudulent SMS messages that can be sent by cybercriminals and the malicious program itself. The messages are mostly sent on behalf of Avito.ru users. These SMS messages invite the victim to follow the link and supposedly become familiar with the reply to the posted ad. For example, the following text is popular: “Good day, are you interested in an exchange?”. In addition, sometimes mobile device owners receive fake notifications about loans, mobile transfers and credited funds to a bank account. Below you can see examples of phishing messages that have been sent in the administration panel of the Trojan’s server and sent upon the cybercriminals’ command:
When following the link from such message, the victim sees the cybercriminals’ website, from which a mobile device downloads a malicious APK file. To make it more convincing, cybercriminals use the real Avito label in
Upon the first launch,
After infecting a device,
However, at the moment this news article has been posted, the existing modifications of the Trojan have not performed full check of bank card information and have removed the block after an input of any data. As a result, the mobile device owners who have suffered from
Nevertheless, nothing prevents virus writers from another blocking of a smartphone or a tablet after penetrating the deception. Therefore, when the phishing window is closed, it is necessary to scan the device with the anti-virus as soon as possible and remove the Trojan: https://download.drweb.ru/android/
If a user uses the Mobile banking service,
To obtain additional income, some versions of
Virus writers can configure the parameters of blocking windows in the administration panel of the command and control server. For example, set texts of displayed messages, their display duration and a required ransom amount. Below are examples of the corresponding sections of the control panel:
Along with stealing money and blocking infected devices,
- Update itself;
- Send SMS messages to all contact list numbers;
- Send SMS messages to all numbers specified in commands;
- Load websites specified by cybercriminals;
- Send to the server all saved SMS messages from the device;
- Obtain information on contacts from the contact list;
- Create fake incoming SMS messages.
Dr.Web for Android has successfully detected all the known modifications of
#Android #banker #mobile #ransom #banking_Trojan
Your Android needs protection!
- First Russian anti-virus for Android
- Over 135 million downloads—just from Google Play!
- Available free of charge for users who purchase Dr.Web home products
March 23, 2018
Malicious program dubbed
An example of the link to a malicious file published in the comments section of the video.
Once launched on an infected computer, it collects the following information:
- cookies stored by the Vivaldi, Chrome, YandexBrowser, Opera, Kometa, Orbitum, Dragon, Amigo, and Torch browsers;
- saved logins/passwords from the same browsers;
It also copies files with “.txt”, “.pdf”, “.jpg”, “.png”, “.xls”, “.doc”, “.docx”, “.sqlite”, “.db”, “.sqlite3”, “.bak”, “.sql”, “.xml” extensions from Windows Desktop.
Doctor Web virus analytics found several modifications to the Trojan. Some of them were detected as