Real-time threat news
January 16, 2018
Once the programs with the embedded SDK are launched,
In fact, this graphic file conceals another Trojan module, which is an updated version of
Once decrypted and launched, a new version of the Trojan module (detected by Dr.Web as
Its main purpose is to covertly open websites and click on their items, such as links and banners. To do that,
Doctor Web specialists found 27 games on Google Play that used Trojan SDK. More than 4,500,000 mobile device owners downloaded them. The applications with embedded
|Program name||Application package name||Version|
|Era of Arcania||com.games37.eoa||2.2.5|
|Clash of Civilizations||com.tapenjoy.warx||0.11.1|
|Sword and Magic||com.UE.JYMF&hl||1.0.0|
|خاتم التنين - Dragon Ring (For Egypt)||com.reedgame.ljeg||1.0.0|
|樂舞 - 超人氣3D戀愛跳舞手遊||com.baplay.love||1.0.2|
|Kıyamet Kombat Arena||com.esportshooting.fps.thekillbox.tr||1.1.4|
|Never Find Me - 8v8 real-time casual game||com.gemstone.neverfindme||1.0.12|
|King of Warship: National Hero||com.herogames.gplay.kowglo||1.5.0|
|King of Warship:Sail and Shoot||com.herogames.gplay.kowsea||1.5.0|
|Sword and Magic||com.linecorp.LGSAMTH||Depends on a device model|
|Gumballs & Dungeons：Roguelike RPG Dungeon crawler||com.qc.mgden.android||0.41.171020.09-1.8.6|
|Warship Rising - 10 vs 10 Real-Time Esport Battle||com.sixwaves.warshiprising||1.0.8|
|Thủy Chiến - 12 Vs 12||com.vtcmobile.thuychien||1.2.0|
|頂上三国 - 本格RPGバトル||com.yileweb.mgcsgja.android||1.0.5|
Virus analysts informed Google about the detection of the Trojan component in the indicated applications. However, at the moment this news article was posted, they were still available for download. It is recommended that owners of Android smartphones and tablets delete installed games that were installed with
December 22, 2017
The Trojan dubbed
- Download files from a specific remote server;
- Upload files to a remote server;
- Launch a file on an infected device;
- Execute commands in the cmd.exe console;
- Redirect traffic between ports;
- Download and install its own modules.
|More about the Trojan|
December 7, 2017
Linux.ProxyM is a malicious program for Linux which launches a SOCKS proxy server on an infected device. Cybercriminals can use it to anonymously perform destructive actions. The known assembly of this Trojan exists for devices possessing the following architectures: x86, MIPS, MIPSEL, PowerPC, ARM, Superh, Motorola 68000, and SPARC. It means
In September, Doctor Web security researchers learned cybercriminals used
If a user followed a link in an email, they would land on a fake DocuSign website with an authorization form. After entering a password, a victim would be redirected to the real DocuSign authorization page, and the contents of the phishing form were then sent to the cybercriminals.
In December, cybercriminals found another use for devices infected with
Doctor Web security analysts continue to monitor the
November 24, 2017
The new banking Trojan, dubbed
The Trojan’s creator embedded a restriction into the malicious program which allows it to operate on Microsoft Windows 7 and later versions. The malicious program does not run on earlier Windows versions. Additional modules are downloaded from a command and control server using a special loader library. In addition, the data exchange protocol uses encryption. The
- Check for any updates for the Trojan;
- Download from a remote server plugins for browsers used for web injections;
- Download web-injection configurations from a remote server;
- Obtain personal tasks, including those requiring the download of additional plugins;
- Remote computer administration.
In order to perform web injections,
Moreover, additional modules can be downloaded and installed on an infected computer; such modules may include a keylogger plugin, a module for remotely accessing the infected machine (VNC), a SOCKS proxy server component, a plugin for stealing authorization data from mail clients, and some others.
The signatures of the banking Trojan
|More about the Trojan|
#banker #banking_Trojan #online-banking #Trojan
November 22, 2017
The emails sent by cybercriminals stated the following:
“Greetings. I decided to send you an email because I accidently learned about your delicate financial situation. I experienced the same kind of problems. However, I managed to overcome them by using a not-so-obvious solution. This solution’s nonobviousness is not in its complexity (on the contrary, there is nothing complex about it). It is just hard to find. I will easily share it with you and won’t hold anything back. Use it. I hope everything works out for you just as well as it did for me. You will find my solution here.
All the best to you!”
A link in the email led to a website that was supposedly the property of “The interregional social fund of development”. The cybercriminals behind the website referred to a nonexistent Decree of the Government of the Russian Federation №192n. This “development fund for the nobody-knows-what” assured website visitors that all citizens of the Russian Federation and even foreign citizens temporarily staying in the Russian Federation are supposed to receive payments; however, these organizations are cunningly withholding them from people. In order to be able to verify how much people are owed, the cybercriminals ask trusting citizens to enter their personal insurance policy number (SNILS) or their passport number into the corresponding form.
No matter what kind of data the victim fills in (it can be an arbitrary sequence of numbers), they will receive a message telling them that they have been apportioned insurance payments for quite a large sum—several hundred rubles.
However, in order to withdraw these savings, the cybercriminals demand a payment for “access to databases”; the demanded sum is not that large in contrast to the insurance payment. If a trusting website visitor pays the cybercriminals, the visitor, of course, won’t get any money.
Representatives of the Pension fund of the Russian Federation have already stated in their press release that such schemes are fraudulent. The notice of the organization states that: “The Pension fund asks you to ignore such websites and to be careful with your personal data. You should only trust the pension payment information found in your online Pension Fund website account, on the Pension Fund’s smartphone app, and on the state services website”. We would like to remind you that the Pension Fund’s website is located at pfrf.ru.
Doctor Web specialists detected several operating mirrors of “The interregional social fund of development” and more than a dozen domains registered by the authors of this fraudulent scheme. Many of these domains contain the abbreviation “snils”. It is possible that the cybercriminals plan on using the indicated addresses to trick users in future. Furthermore, on the servers containing the webpages of “The interregional social fund of development”, our virus analysts detected many other fraudulent projects—everything from sales of dubious medicines to taromancy. In particular, among these projects, “Royal Point service” was detected. It supposedly guarantees its participants a profit from selling some “Points”. There was also a website that offers visitors the chance to earn 100,000 rubles per day selling domains whose delegation terms are expiring.
“On this webpage, you will not find any scams and other nonsense”—that is what the cybercriminals state. Although their webpage is nothing but the truest of scams, a fake website, and nonsense.
One more type of fraud, which has become increasingly popular of late, is connected with the clamor around cryptocurrencies and block chain technology. Cybercriminals offer users the opportunity to “lease out their computer capacity” for cryptocurrency mining and, in doing so, earn several bitcoins in a couple of minutes. Of course, in all the above-listed cases, people can only withdraw the money they’ve “earned” after making an advance payment to the cybercriminals. After a victim makes this payment, they never receive the promised payment.
Doctor Web security researchers added all the addresses of the fraudulent Internet resources they detected to the Dr.Web Parental Control’s databases of non-recommended websites. However, once again we remind our users that they should not trust cybercriminals who promise payments on behalf of any social funds and organizations, and fantastic profits made without any effort.
#crime #fraud #non-recommended_websites #spam
November 20, 2017
The Trojan, dubbed
November 13, 2017
Doctor Web specialists detected
- Sweet Bakery Match 3 – Swap and Connect 3 Cakes 3.0;
- Bible Trivia, version 1.8;
- Bible Trivia – FREE, version 2.4;
- Fast Cleaner light, version 1.0;
- Make Money 1.9;
- Band Game: Piano, Guitar, Drum, version 1.47;
- Cartoon Racoon Match 3 - Robbery Gem Puzzle 2017, version 1.0.2;
- Easy Backup & Restore, version 4.9.15;
- Learn to Sing, version 1.2.
Our analysts informed Google about the presence of
Before starting its malicious activity,
The Trojan downloads from its C&C server a list of modules it needs to run. One of them was added to the Dr.Web virus database as
The second Trojan module, dubbed
Thus, the main purpose of
Dr.Web for Android successfully detects all the applications containing
October 26, 2017
The Trojan gathers information on the infected computer and also checks whether the processes of the two anti-virus programs have been launched: Dr.Web and McAfee (it is particularly interested in processes named dwengine.exe, dwwatcher.exe, dwarkdaemon.exe, dwservice.exe, McTray.exe, mfevtps.exe, and mcshield.exe). If BadRabbit detects such processes, it skips the first encryption stage in an apparent effort to avoid early detection. However, it attempts to run full disk encryption after a system’s restart. Due to the fact that current Dr.Web Anti-virus versions do not allow the boot record (MBR) to be modified, any attempt to encrypt disks will be unsuccessful. Thus, users of Dr.Web Anti-virus 9.1 and later and Dr.Web KATANA are completely protected from
The disk encoder then checks the arguments of its process, and if it is running without arguments, it operates as a decoder. Before starting its encrypting activities,
Then BadRabbit generates a 32-symbol password for disk encryption, records information about the computer to a special structure, encrypts it with a public key, and saves it in another structure, which is encoded with the Base64 algorithm and saved to MBR. The virus writers took disk encryption algorithm and a bootloader from the open source code Diskcryptor project and made some minor changes. The Trojan searches for the first system disk and installs its loader there. Then the contents of this disk are encrypted.
Part of BadRabbit’s code was adopted from
To launch these drivers, in the course of its operation, BadRabbit tries to register the system service “cscc” with the description “Windows Client Side Caching DDriver”. If the Trojan fails to register this service, it attempts to launch the DiskCryptor driver named “cdfs” by modifying the system registry.
After executing all of its preliminary operations, the Trojan creates a task called “drogon” to restart the computer. While finishing the session, BadRabbit clears system logs and removes the task it created earlier. The encoder encrypts files with the following extensions: .3ds, .7z, .accdb, .ai, .asm, .asp, .aspx, .avhd, .back, .bak, .bmp, .brw, .c, .cab, .cc, .cer, .cfg, .conf, .cpp, .crt, .cs, .ctl, .cxx, .dbf, .der, .dib, .disk, .djvu, .doc, .docx, .dwg, .eml, .fdb, .gz, .h, .hdd, .hpp, .hxx, .iso, .java, .jfif, .jpe, .jpeg, .jpg, .js, .kdbx, .key, .mail, .mdb, .msg, .nrg, .odc, .odf, .odg, .odi, .odm, .odp, .ods, .odt, .ora, .ost, .ova, .ovf, .p12, .p7b, .p7c, .pdf, .pem, .pfx, .php, .pmf, .png, .ppt, .pptx, .ps1, .pst, .pvi, .py, .pyc, .pyw, .qcow, .qcow2, .rar, .rb, .rtf, .scm, .sln, .sql, .tar, .tib, .tif, .tiff, .vb, .vbox, .vbs, .vcb, .vdi, .vfd, .vhd, .vhdx, .vmc, .vmdk, .vmsd, .vmtm, .vmx, .vsdx, .vsv, .work, .xls, .xlsx, .xml, .xvd, .zip. As the result of the Trojan's operation, the infected computer displays a demand for a ransom in Bitcoin, and a website of cybercriminals in TOR states that a victim has 48 hours to pay. When the time expires, the ransom is increased.
Our investigation into
#virus #ransom #Trojan #Trojan.Encoder
October 26, 2017
The detected vulnerabilities and the attack vector they use have been called BlueBorne. Security researchers have detected a problem in the components of most modern-day operation systems, including Windows, iOS, and Linux and the platforms based on its kernel, e.g., Tizen and Android.
BlueBorne includes the following vulnerabilities:
- CVE-2017-0781, CVE-2017-0782 – Android vulnerabilities that allow applications to be launched with system privileges;
- CVE-2017-0785 – an Android vulnerability that can lead to the leak and theft of confidential information;
- CVE-2017-0783 – an Android vulnerability that facilitates Man-in-The-Middle attacks;
- CVE-2017-1000251 – a vulnerability in a Linux kernel component that facilitates the execution of arbitrary code;
- CVE-2017-1000250 – a vulnerability in a Linux kernel component that may lead to the theft of confidential information.
BlueBorne allows cybercriminals to execute malicious code remotely on Android devices possessing an enabled Bluetooth transmitter by sending specially formed data packages. An attack is performed with OS kernel privileges and doesn’t require that devices be pre-paired or visibility mode enabled. For a vulnerability to be successfully exploited, it is enough for a potential victim’s device to have its Bluetooth adapter enabled and for the attacker to be within range of the transmitter.
Because the processes that make Bluetooth work have elevated privileges in all operating systems, these vulnerabilities can be exploited to give criminals almost full control over an attacked object. BlueBorne vulnerabilities let cybercriminals control devices, spread malicious software among them, gain access to their data and the networks they are connected to, and perform Man-in-The-Middle attacks. These vulnerabilities pose a danger to all Android smartphones, tablets and other devices that have not had the security update dated September 9, 2017, applied to them and to devices that use Bluetooth in anything other than the Bluetooth Low Energy mode.
In addition to cybercriminals using BlueBorne to carry out attacks directly, malicious programs that exploit these vulnerabilities may appear. They will be able to independently spread across Bluetooth channels from one device to another, similar to network worms. The devices most at risk are those that have not obtained security updates from the firmware manufacturers and OS developers.
The Security Auditor that comes with Dr.Web Security Space detects the numerous vulnerabilities that can be present on Android smartphones and tablets. Among those vulnerabilities are the widely known Extra Field, MasterKey, Heartbleed, and a host of others. When the updated version of Auditor was released, the aforementioned BlueBorne vulnerability and SIM Toolkit (CVE-2015-3843) had already been added to it..
The SIM Toolkit error in Android lets cybercriminals intercept and fake commands sent by a SIM card to a mobile device and back. That’s why cybercriminals can execute phishing attacks using fraudulent windows and steal confidential information such as login credentials.
To detect BlueBorne on mobile devices, Dr.Web Security Auditor checks whether the Google update is present on devices and warns users of the potential threat if it doesn’t find it. When this and other vulnerabilities are detected, it is recommended that users install all available updates.
October 16, 2017
This malicious program has been added to the Dr.Web virus databases under the name
After the computer is rebooted, the Trojan tries to infect all device’s drives with names from C to Z. For this purpose, it creates a hidden folder, saves there a copy of its executable file (also with the “hidden” attribute), after that it creates a link in the root disc directory in the form of <volume name>.lnk, which refers to the malicious executable file. All files different from .lnk, VolumeInformation.exe and .vbs are moved to the hidden folder created earlier.
Then the Trojan attempts to define an IP address and an available port of the command and control server by sending a request to several Internet servers, including pastebin.com, docs.google.com and notes.io. The received value looks as follows:
If the backdoor was successful in obtaining the IP address and port, it sends a special request to the C&C server. If the Trojan receives a response , it will download the Python scripts added to the Dr.Web virus databases as
- Steal information from such browsers as Chrome, Opera, Yandex, Amigo, Torch, and Spark;
- Perform the keylogger functions and make screenshots;
- Download additional modules written in Python and execute them;
- Download files and save then on a media of the infected device;
- Obtain contents of the specified folder;
- “Travel” across folders;
- Request system information.
Among other matters, structure of
October 12, 2017
As we all know, technology keeps forging ahead. Judging by the content of spam ads, evil-eye-thwarting red threads have gone out of style lately. Network fraudsters have replaced them with miraculous amulet coins that supposedly bring wealth and good luck.
Every aspect of this magical product is wondrous inside and out: beginning with the story invented by mysterious copywriters about the young Russian tsar who was given a miracle-working, enchanted amulet by the deacon of an orthodox monastery (such an amulet was a bulletproof sign of the most real kind of sorcery— sorcery that back in those days was rewarded with a ceremonial impaling before scores of onlookers), truly ending with the amusing description of the amulet itself. We pass our mic to the network merchants: “According to ritual, the amulet is manufactured and tied to a specific person, to their Name. The ritual is based on the force of prayers and ancestors. A tsarist coin serves as the basis for the amulet’s creation and the ritual’s conduction. We use only authentic coins from Tsarist times!”. Judging by the Chinese characters on the head side of these “amulets”, these real tsarist coins from ancient times were bought small wholesale exclusively on AliExpress, from where they were delivered to the court. Fraudsters assure readers that the miraculous amulet “attracts positive cash flow” (and, most probably, defers negative cash flow straight into the pockets of network fraudsters). As a result, whoever owns this trinket will surely find a well-paid job, repay their debts, win the lottery, build a house, grow a new liver, and develop chakras on the back of their head. We have no doubt that purchasing the amulet coin will bring wealth. Exclusively to those who sell it for a price that is one and half dozen times higher than on Celestial Empire’s online shop.
As the character of a popular fiction series once said, winter is coming. And when it is cold, a beard keeps a guy warm. So second place in our current ratings of absurd online goods is taken by the most authentic “serum for beard growth”.
Sellers of this magical elixir claim that growing such a beautiful beard is really possible; as proof of their statement, they offer a lightly airbrushed stock photo of a man who looks half Santa, half mujahideen. “Olga Alekseeva, a top-class hairdresser”, completely agrees with that. Her enthusiastic review is posted on a website of network merchants—it looks like she has already grown a long and silky beard with the help of this magical “serum” and is now a circus star. Unfortunately, none of Doctor Web’s specialists have had a chance to try this magical “serum for beard growth”, but they will try it first chance they get on an employee who is specially prepared to take on this challenge.
Folk tales say that advertising is usually untruthful. We know at least one example of truthful advertising—the slogan “Everything will stick!”, used by the sellers of an instant adhesive. This superglue does bond absolutely everything together: fingers, hair, clothes—everything except what we’d planned on bonding initially. However, online merchants offer a unique and modern solution for this problem: wondrous instant superglue at the price of a welding machine!
The magical superglue, which is produced, as judged by its price, from an alloy of gold and platinum, has unique properties: it hardens in five seconds and works on various materials, such as plastic, wood, and glass. In other words, it can do exactly the same thing as ordinary 20-ruble glue, except it is 100 times more expensive. It is hard to say whether this unique offer is in demand, but it gave us a good laugh.
Among the other entertaining products advertised by spammers lately, a wonderful device with the mysterious name “multi slicer” is worth a mention. No, it is not a cross between a glass cutter and a multicooker. It is a multifunctional device that has a razor handle, a grater blade, and the price of an airplane.
“For an affordable price you will get a device to slice produce”,—the online merchants inform everybody who has never held a kitchen knife in their life. It is true that slicing produce is a hi-tech process that can only be managed by a specialist with a higher culinary education, and exclusively using this special, certified “device”. But the most important thing is that the “multi slicer” is so omnipurpose, it can even be washed (!) in a dishwasher. Just think of it! Can you imagine? True—today’s dishwasher manuals state that any kitchen utensil can be washed in the dishwasher. One of our employees once accidently washed his IPhone, and nothing terrible ended up happening to the dishwasher. In contrast to the IPhone. So we are not planning on buying a “multi slicer” yet—we are going to wait until technology reaches the level where it can be washed with a sponge in an ordinary sink.
To conclude this article, we would like to remind our readers once again that questionable offers published on all kinds of trading platforms should be treated with skepticism and a healthy dose of humor. And we, in turn, will continue to add the website addresses of such network “miracle traders” to our database of non-recommended websites.
September 12, 2017
The Trojan at issue is
Doctor Web virus analysts have discovered that cybercriminals are using
Subject: Kendra asked if you like hipster girls
A new girl is waiting to meet you. And she is a hottie! Go here to see if you want to date this hottie (Copy and paste the link to your browser) http://whi*******today.com/ check out sexy dating profiles There are a LOT of hotties waiting to meet you if we are being honest!
According to Doctor Web’s statistics, a device infected with
The number of unique IP addresses of infected devices is shown in the following diagram. It is worth mentioning that the figure shows only the number of bots monitored by Doctor Web analysts. The actual number of infected devices may be higher.
The below illustration shows the geographical locations from which
We can presume that the range of functions implemented by Linux Trojans will be expanded in the future. The Internet of things has long been a focal point for cybercriminals. The wide distribution of malicious Linux programs capable of infecting devices possessing various hardware architectures serves as proof of that.
August 24, 2017
Virus analysts have been familiar with Trojans of the
In addition to the loader for ARM devices, similar modules for devices with the MIPS and MIPSEL architectures have been distributed “in the wild” for over six months already. The first of them is
Statistics collected by Doctor Web specialists show that Mexico ranks first among the countries to which the IP addresses of the devices infected by
The following diagram shows the number of attacks carried out for the purpose of distributing
Doctor Web reminds users that one of the most reliable ways to prevent attacks on Linux devices is to promptly change the default login and password. It is also recommended that users place restrictions on external connections being made to their devices via the Telnet and SSH protocols and to timely update their firmware. Dr.Web for Linux detects and deletes all the aforementioned versions of
August 21, 2017
Miners Trojans are appearing regularly and Doctor Web’s virus analysts have noted a curious trend: the creators of these programs are now targeting the Linux platform. Of late, smart devices run on Linux have become very popular, and the owners of such devices are not changing the default settings, most notably the administrator login and password. This is why hacking into such devices is not a major problem for cybercriminals.
An analysis of the miner loader has revealed a peculiar feature of this app: in its source code, krebsonsecurity.com is mentioned several times. This website is owned by well-known cybersecurity expert Bryan Krebs. Apparently, the author of the Trojan is his secret admirer.
The Trojan is designed to mine Monero (XMR), a cryptocurrency created in 2014. Currently
August 17, 2017
The Domain Name System (DNS) allows information about domains to be obtained and provides for web addressing. Client software, browsers in particular, use DNS to determine the IP address of a web resource according to the input URL. Usually, domain owners themselves administer DNS servers.
Many web resources use several additional third-level and even fourth-level domains besides the main second-level domain. For example, the drweb.com domain uses the vms.drweb.ru subdomains. They contain a website that allows users to check a link or a file or to find a virus description. The domain free.drweb.ru is for the webpage of Dr.Web CureIt!; updates.drweb.com is for the Dr.Web update system page, etc. Various technical and support services are usually implemented with the use of such domains. Such services include a website administration and management system, online banking systems, mail server web interfaces and all kinds of internal websites for company staff. Subdomains can also be used to organize version control systems, bug trackers, various monitoring services, wiki resources and other needs.
When attacking websites for the purpose of compromising them, cybercriminals first collect information about the web resources they are targeting. In particular, they attempt to determine the type and version of the web server maintaining a website. They also try to identify the content management system version, the engine programming language and other technical information, including the list of subdomains of the attacked website’s main domain. Using this list, cybercriminals can try to get into the web resource’s infrastructure via a “back door” by generating account data and successfully logging into one of the internal private services. Many system administrators do not pay due attention to the security of such resources. Meanwhile, such “internal” websites may use outdated software containing known vulnerabilities, contain debugging information, or allow open registration. All that can significantly simplify the work of cybercriminals.
If the DNS servers maintaining a website are configured correctly, cybercriminals will not be able to obtain the domain zone information they request. However, if DNS server settings are incorrect, a special AXFR request allows cybercriminals to obtain full data on the subdomains registered in the domain zone. Having incorrect DNS server settings is not in itself a vulnerability, however, they can be the indirect cause of a web resource becoming compromised.
Doctor Web security analysts conducted research on the DNS server configurations of numerous Russian banks and governmental organizations. They found that 89 of the roughly 1,000 Russian bank domains they checked gave out the domain zone in response to external AXFR requests. This information was sent to the Bank of Russia’s Financial Sector Computer Emergency Response Team (FinCERT). In addition, incorrect settings were detected on the websites of several governmental organizations. Doctor Web reminds website administrators that correct DNS configuration is one factor contributing to web resource security.
August 2, 2017
Apparently, to distribute scam mailings, cybercriminals use contact database of domain administrators registered in RU-CENTER. Cybercriminals refer to some changes in the ICANN rules and offer the domain administrator to create the PHP file with certain contents in the root directory. The creation of this file is supposed to confirm the right for the domain use by the email recipient. The email itself contains the logo of RU-CENTER and is sent supposedly on its behalf.
The file suggested for saving in the root directory contains a command that executes an arbitrary code specified in a variable. Cybercriminals can send this code to the script posted on the server as a GET or POST request. Doctor Web specialists warn that fulfillment of the demands of cybercriminals will lead to a compromise of the website. If you receive such email, ignore it. If you suppose that the email’s sender is actually the domain name registrar, check this information with the technical support service of the registrar company.
July 27, 2017
Unlike other Trojans of this family that try to get root privileges to perform malicious actions,
After the initialization, the malicious program sets up some parameters, creates a working directory, and checks in what environment it is running. If the Trojan is in the Dalvik environment, it intercepts one of the system methods, which allows it to track the start of all applications and perform malicious activity immediately after they start.
The main function of
As a result,
July 24, 2017
Doctor Web first reported
Recent research results have shown that an ePrica component was downloading and launching the Trojan onto targeted systems. Drugstore managers use this software component to analyze drug prices and choose the best suppliers. This module downloaded the
A further analysis of the application showed that
The module runmod.exe executes the launch of these plugins. It takes action when the server commands it to decrypt and launch them into the memory. After that they copy database information which is then sent to a remote server. The indicated application component is signed with the certificate “Protek”—a group of companies that includes “Spargo Tekhnologii”, ePrica’s developer.
It is important to note that even after ePrica is removed, the backdoor stays in the system and continues to spy on users. It is possible that
Its installer version 220.127.116.11, in which the Trojan modules were found, was released on November 18, 2013, while some of the backdoor’s files date back to 2010. Thus, the copying of drugstore and pharmaceutical company procurement information could have started at least a year before the backdoor was first detected.
More detailed information on the ePrica installer containing
July 18, 2017
Android.BankBot.211.origin is distributed under the guise of benign programs, for example, as Adobe Flash Player. Once a user installs and launches the Trojan, the banker tries to gain access to the Accessibility Service. For this purpose, Android.BankBot.211.origin displays a window with a request that reappears at every attempt to close it and doesn’t allow the device to be used.
The Accessibility Service makes it easier to work with Android smartphones and tablets and is used in a variety of ways, including to help people with disabilities. It allows programs to independently click on different interface elements, such as buttons in dialog boxes and system menus. The Trojan forces the user to grant it these rights and uses them to independently add itself to the device administrator list. Then Android.BankBot.211.origin establishes itself as the default message manager and gains access to the screen capture function. All these actions are accompanied by a display of system requests that can be overlooked entirely because the malicious program immediately confirms them. If, at a later stage, the device owner tries to disable any function obtained by Android.BankBot.211.origin, the banker forbids it and returns the user to previous system menus.
After a successful infection, the Trojan connects to its command and control service, registers the mobile device there, and awaits further commands. Android.BankBot.211.origin can execute the following actions:
- Send an SMS containing a specific text to the number specified in the command;
- Send to the server SMS data stored in the device memory;
- Forward to the server information about the installed applications, the contact list, and phone call data;
- Open the link specified in a command;
- Change the address of the command center.
In addition, the malicious program tracks all incoming SMS and sends them to cybercriminals.
Besides the standard commands, cybercriminals can send the Trojan special orders. They contain encrypted information about the applications the banker is supposed to attack. Once Android.BankBot.211.origin receives such commands, it can:
- Display fake input forms for login credentials on top of launched banking programs;
- Display a phishing dialog asking users to input their bank card details (for example, when making a purchase on Google Play);
- Block the operation of anti-viruses and other applications that could interfere with the Trojan’s work.
Android.BankBot.211.origin can attack users of any applications. Cybercriminals just have to update the configuration file with the list of targeted programs. The banker receives this list once connected to the command and control server. When the Trojan was first observed, cybercriminals were interested only in customers of Turkish banks. However, later on the list was expanded to include residents of other countries, including Germany, Australia, Poland, France, the United Kingdom, and the USA. At the moment this news article was posted, the list of programs attacked by the Trojan contained more than 50 applications designed to operate with payment systems, remote banking services (RBS), and other software.
Examples of the fraudulent windows Android.BankBot.211.origin can display:
The Trojan also collects information about all launched applications and user’s actions performed within them. For example, it tracks available text fields, such as menu elements, and logs key strokes and other components of the user interface.
Moreover, Android.BankBot.211.origin is capable of stealing login credentials and other authentication information input by users in any programs on any websites during authorization. To steal passwords, the Trojan takes a screenshot of every key stroke; as a result, it obtains the required sequence of characters before they are hidden. After that, the information input into the displayed fields and all the saved screenshots are sent to the command and control server.
Due to the fact that Android.BankBot.211.origin prevents anyone from removing it, the following actions must be performed in order to combat it:
- Load an infected smartphone or tablet in safe mode;
- Log into the system settings and go to the list of device administrators;
- Find the Trojan in this list and recall the corresponding rights (here the malicious program will try to frighten the device’s owner by warning them about the possible loss of all of their important data, but this is just a trick—the files are in no danger);
- Restart the device, perform a full anti-virus scan on it, and remove the Trojan after the scanning is complete.
All known versions of Android.BankBot.211.origin are successfully detected by Dr.Web Anti-virus; therefore, this banker does not pose any threat to our users.
July 13, 2017
The start date the website was compromised and past activity in this attack vector are currently impossible to determine. There are at least 15 domain addresses registered by an unknown individual. The malicious code forces the browser of any visitor to the website to covertly connect to one of them. These domains can reply with any independent document, from a fraudulent input form for entering bank card details to a brute-force attack of vulnerabilities, aimed at obtaining access to a visitor’s computer.
While a website page requested by a user is being generated dynamically, the container <iframe> is added to the website code. It allows any external data to be downloaded or requested from the user’s browser. Currently, the security researchers have detected at least 15 domains. Among them are m3oxem1nip48.ru, m81jmqmn.ru and other addresses of intentionally inconclusive names. At least five of them belong to a range of addresses of companies registered in the Netherlands. Over the past day, requests to these domains are either unsuccessful, because the security certificate of most of these websites is expired, or don’t contain any malicious code. However, there’s nothing to prevent the domain owners from updating the certificates at any moment and publishing malicious code on these domains.
Currently, the website gosuslugi.ru is still compromised. Information has been sent to the website’s technical support service, but it has yet to confirm that it has launched an investigation and initiated measures to prevent such incidents in the future. Doctor Web recommends that users be careful when using the Government Services Portal of the Russian Federation until the situation is resolved. Doctor Web, Ltd., recommends that the administration of the website gosuslugi.ru and the relevant authorities perform a security check on the website.
Any user can check for the code’s presence themselves by using a search tool and making the following request:
UPDATE: The potentially malicious code was removed from gosuslugi.ru after approximately 3 hours from the publication.
July 5, 2017
The malicious application, dubbed
In contrast with the standard update procedure, when an old version of an application is entirely replaced with a new one, the SDK indicated above allows needed components to be loaded separately without reinstalling the entire software package. This allows developers to keep the version of software installed on mobile devices current even if users do not keep track of the release of new versions. However, Excelliance operates as a loader Trojan because it can download and run unchecked application components. This update method violates Google Play rules because it is dangerous.
The Trojan module tracks network activity and tries to connect to its command and control server. Depending on the server settings,
Besides the application’s additional resources and updates,
Meanwhile, while the downloaded APK files are being installed, the user sees a standard dialog box; however, if
Doctor Web specialists have informed Google about the dangerous behavior of the Trojan component in SDK, which is used in the game BlazBlue. However, at the moment this news article was posted, the game version containing
Applications containing this Trojan are successfully detected by Dr.Web for Android anti-virus products as
July 4, 2017
The reports state that
Doctor Web specialists noted this registry key because Trojan.Encoder.12703 uses the same path for its operation. An analysis of the Dr.Web Anti-virus log obtained from one of our customer’s computers showed that Trojan.Encoder.12703 was launched on the infected machine by the application ProgramData\Medoc\Medoc\ezvit.exe, which is a component of M.E.Doc:
id: 425036, timestamp: 15:41:42.606, type: PsCreate (16), flags: 1 (wait: 1), cid: 1184/5796:\Device\HarddiskVolume3\ProgramData\Medoc\Medoc\ezvit.exe
source context: start addr: 0x7fef06cbeb4, image: 0x7fef05e0000:\Device\HarddiskVolume3\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks.dll
created process: \Device\HarddiskVolume3\ProgramData\Medoc\Medoc\ezvit.exe:1184 --> \Device\HarddiskVolume3\Windows\System32\cmd.exe:6328
bitness: 64, ilevel: high, sesion id: 1, type: 0, reason: 1, new: 1, dbg: 0, wsl: 0
curdir: C:\Users\user\Desktop\, cmd: "cmd.exe" /c %temp%\wc.exe -ed BgIAAACkAABSU0ExAAgAAAEAAQCr+LiQCtQgJttD2PcKVqWiavOlEAwD/cOOzvRhZi8mvPJFSgIcsEwH8Tm4UlpOeS18o EJeJ18jAcSujh5hH1YJwAcIBnGg7tVkw9P2CfiiEj68mS1XKpy0v0lgIkPDw7eah2xX2LMLk87P75rE6 UGTrbd7TFQRKcNkC2ltgpnOmKIRMmQjdB0whF2g9o+Tfg/3Y2IICNYDnJl7U4IdVwTMpDFVE+q1l+Ad9 2ldDiHvBoiz1an9FQJMRSVfaVOXJvImGddTMZUkMo535xFGEgkjSDKZGH44phsDClwbOuA/gVJVktXvD X0ZmyXvpdH2fliUn23hQ44tKSOgFAnqNAra
status: signed_microsoft, script_vm, spc / signed_microsoft / clean
id: 425036 ==> allowed , time: 0.285438 ms
2017-Jun-27 15:41:42.626500  [INF]  [arkdll]
id: 425037, timestamp: 15:41:42.626, type: PsCreate (16), flags: 1 (wait: 1), cid: 692/2996:\Device\HarddiskVolume3\Windows\System32\csrss.exe
source context: start addr: 0x7fefcfc4c7c, image: 0x7fefcfc0000:\Device\HarddiskVolume3\Windows\System32\csrsrv.dll
created process: \Device\HarddiskVolume3\Windows\System32\csrss.exe:692 --> \Device\HarddiskVolume3\Windows\System32\conhost.exe:7144
bitness: 64, ilevel: high, sesion id: 1, type: 0, reason: 0, new: 0, dbg: 0, wsl: 0
curdir: C:\windows\system32\, cmd: \??\C:\windows\system32\conhost.exe "1955116396976855329-15661177171169773728-1552245407-149017856018122784351593218185"
status: signed_microsoft, spc / signed_microsoft / clean
id: 425037 ==> allowed , time: 0.270931 ms
2017-Jun-27 15:41:43.854500  [INF]  [arkdll]
id: 425045, timestamp: 15:41:43.782, type: PsCreate (16), flags: 1 (wait: 1), cid: 1340/1612:\Device\HarddiskVolume3\Windows\System32\cmd.exe
source context: start addr: 0x4a1f90b4, image: 0x4a1f0000:\Device\HarddiskVolume3\Windows\System32\cmd.exe
created process: \Device\HarddiskVolume3\Windows\System32\cmd.exe:1340 --> \Device\HarddiskVolume3\Users\user\AppData\Local\Temp\wc.exe:3648
bitness: 64, ilevel: high, sesion id: 1, type: 0, reason: 1, new: 1, dbg: 0, wsl: 0
curdir: C:\Users\user\Desktop\, cmd: C:\Users\user\AppData\Local\Temp\wc.exe -ed BgIAAACkAABSU0ExAAgAAAEAAQCr+LiQCtQgJttD2PcKVqWiavOlEAwD/cOOzvRhZi8mvPJFSgIcsEwH8Tm4UlpOeS18oE JeJ18jAcSujh5hH1YJwAcIBnGg7tVkw9P2CfiiEj68mS1XKpy0v0lgIkPDw7eah2xX2LMLk87P75rE6U GTrbd7TFQRKcNkC2ltgpnOmKIRMmQjdB0whF2g9o+Tfg/3Y2IICNYDnJl7U4IdVwTMpDFVE+q1l+Ad92 ldDiHvBoiz1an9FQJMRSVfaVOXJvImGddTMZUkMo535xFGEgkjSDKZGH44phsDClwbOuA/gVJVktXvDX 0ZmyXvpdH2fliUn23hQ44tKSOgFAnqNAra
fileinfo: size: 3880448, easize: 0, attr: 0x2020, buildtime: 01.01.2016 02:25:26.000, ctime: 27.06.2017 15:41:42.196, atime: 27.06.2017 15:41:42.196, mtime: 27.06.2017 15:41:42.196, descr: wc, ver: 18.104.22.168, company: , oname: wc.exe
hash: 7716a209006baa90227046e998b004468af2b1d6 status: unsigned, pe32, new_pe / unsigned / unknown
id: 425045 ==> undefined , time: 54.639770 ms
The file ZvitPublishedObjects.dll, which was requested from the infected machine, had the same hash as a sample examined in the Doctor Web virus laboratory. Thus, our security researchers concluded that the M.E.Doc update module, which is implemented as the dynamic library ZvitPublishedObjects.dll, contains a backdoor. Further research showed that this backdoor can execute the following functions in the infected system:
- Collect data for accessing mail servers;
- Execute arbitrary commands in the infected system;
- Load arbitrary files to the infected computer;
- Load, save and start any executable files;
- Upload arbitrary files to a remote server.
The following code fragment of the M.E.Doc update module looks rather unique—it allows the payload to be launched using the tool rundll32.exe with the parameter #1:
This is exactly how the encryption Trojan, known as NePetya, Petya.A, ExPetya and WannaCry-2 (
Reuters published an interview with the developers of M.E.Doc who stated that their application contains no malicious functions. Because of that, and also taking into account the results of a static code analysis, Doctor Web security researchers concluded that some unidentified cybercriminals infected one of M.E.Doc’s components with the malicious program. This component was added to the Dr.Web virus databases under the name
June 29, 2017
The security researchers who examined
Back in 2012, Doctor Web security researchers detected a targeted attack on drugstores and pharmaceutical companies that involved the use of a malicious program called
Doctor Web specialists conducted an investigation lasting four years. One of the affected companies provided its hard drives which had been compromised by
The similarity of these two cases shows that the software development infrastructure requires a heightened level of awareness in terms of information security. Above all, the update process for any commercial software should be closely scrutinized by both users and the developers themselves. Some update tools of different programs have the right to install and launch executable files in an operating system. This can be an unexpected source of infection. In the case of MEDoc, the infection was caused by cybercriminals hacking into and compromising an update server. In the case of
June 28, 2017
At the moment, it is known that the Trojan has infected computers by exploiting the same vulnerabilities exploited by cybercriminals during the WannaCry attack. The spread of
In its body, the Trojan contains four compressed resources. Two of these resources are 32-bit and 64-bit versions of the Mimikatz tool, which is designed to intercept passwords of open Windows sessions. Depending on an operating system’s capacity, the Trojan unpacks the necessary version of the Mimikatz tool, saves it to a temporary folder, and runs the Mimikatz tool. Using Mimikatz and some other methods,
The encoder checks its second launch using a file it saved to the C:\Windows\ folder. The file name matches the Trojan’s name, without the extension. Since the worm sample spreading at the moment is named perfc.dat, the file preventing its launch is C:\Windows\perfc. However, if cybercriminals change the original Trojan’s name, creating the file C:\Windows\perfc (as many anti-virus developers advise) will not save a computer from infection. In addition, the Trojan checks the existence of the file only if it has enough privileges to do so.
Once launched, the Trojan sets its privileges, loads its copy to the memory, and grants the copy control. Then, the encoder overwrites its own file with the trash data and removes the file. First,
The Trojan encrypts files only on the fixed drives. The data on each drive is encrypted in a separate thread. The files are encrypted using the AES-128-CBC algorithm; a separate key is created for each drive (a characteristic feature of the Trojan that has not been noted by other specialists). This key is encrypted with the RSA-2048 algorithm (other researchers say that an 800-bit key is used) and is saved to the file named README.TXT to the root folder of the system drive. An additional extension is not added to the encrypted files.
After the computer is rebooted according to the created task, control is granted to the Trojan boot record. On the screen of the infected computer, it displays a text similar to the CHDISK standard tool’s text.
Power down your computer immediately if you see the CHDISK text at system startup. In this case, the boot records will be damaged, but they can be repaired using the Windows recovery tool or Recovery Console if you boot the computer using the distribution disk. Normally, recovery of the boot record is possible in Windows 7 and later operating systems if the hidden portion containing the critical data backup copy is present on the drive. You can also use Dr.Web LiveDisk; create a boot disk or a boot USB, start the operating system from this boot removable media, run the Dr.Web scanner, check the infected drive, and choose the Neutralize action for the detected threats.
According to some sources, the only email address used by the cybercriminals behind
To avoid infection by
June 27, 2017
According to data of our information security specialists, the Trojan is distributed independently, just as infamous WannaCry. Yet there is no precise data if it uses the same distribution mechanism. At present, our security researchers examine the new Trojan; we will give the details later on. Some mass media sources draw parallels with the ransomware Petya (in particular, Dr.Web detects it as Trojan.Ransom.369) due to the external side of the ransomware operation. However, a distribution method of the new threat is different from the standard pattern of Petya.
Today, on June 27 at 4.30 p.m., this encryption ransomware has been added to Dr.Web virus databases as
Doctor Web advises all users to be vigilant and refrain from opening suspicious emails (this measure is required but is not fully sufficient). It is necessary to make backup copies of critically important data and to install all software security updates. Availability of an installed anti-virus is also crucial.