Virus alerts
09.09 Doctor Web’s overview of malware detected on mobile devices in August 2019
September 9, 2019
In the last month of summer, Doctor Web virus analysts detected the clicker trojan
PRINCIPAL TRENDS IN AUGUST
- Detection of new malware on Google Play
- Emergence of new adware modules
Mobile threat of the month
In early August, Doctor Web reported the
- it began operating 8 hours after startup;
- some features were implemented using reflection;
- it could subscribe users to premium mobile services using WAP-Click.
For more information on
According to statistics collected by Dr.Web for Android
Android.HiddenAds .455.origin- A trojan designed to display unwanted ads on mobile devices.
Android.Backdoor .682.origin- A trojan that executes cybercriminals’ commands and helps them control infected mobile devices.
Android.Triada .467.origin- A multi-functional trojan that performs various malicious actions.
Android.RemoteCode .197.originAndroid.RemoteCode .5564- Malicious applications designed to download and execute arbitrary code.
Program modules that incorporate themselves into Android applications and display obnoxious ads on mobile devices:
- Adware.Gexin.3.origin
Adware.Patacore .253- Adware.Zeus.1
- Adware.Altamob.1.origin
- Adware.Myteam.2.origin (a new threat)
Threats on Google Play
Along with the
Virus analysts also identified new trojan adware of the
At the end of August, Doctor Web experts discovered another banking trojan that attacked Brazilian Android users. This malware was dubbed
To protect your Android device from malware and unwanted programs, we recommend that you install Dr.Web for Android.
Your Android needs protection.
Use Dr.Web
- The first Russian Anti-virus for Android
- More than 140 million downloads on Google Play alone
- Free for users of Dr.Web home products
09.09 Doctor Web’s August 2019 virus activity review
September 9, 2019
In August, Dr.Web server statistics detected a 21.28% decrease in the total number of threats compared to July. The number of unique threats dropped only slightly by 2.82%. The most common threat in email traffic is malware that exploits vulnerabilities in Microsoft Office documents, as well as trojan downloaders. Similarly to the previous month, the majority of detected malware and unwanted software is adware.
Principal trends in August
- A decline in malware spreading activity
- A growing number of non-recommended and malicious websites
- An upturn of encoder activity
Threat of the month
In August, researchers at Doctor Web’s virus lab discovered a dangerous banking trojan spread by cybercriminals via fake websites of popular software. One of these resources is copied from a well-known VPN service, while others are disguised as corporate office software websites.
According to Doctor Web’s statistics servers
Threats of the month:
- Adware.Softobase.15
- Installation adware that spreads outdated software and changes the browser’s settings.
- Adware.Ubar.13
- A torrent client designed to install unwanted programs on a user’s device.
- Trojan.Winlock.14244
- A ransomware trojan that blocks or limits a user’s access to the Windows operating system and its functionalities. In order to unlock the system, a user must transfer money to the cybercriminals.
- Trojan.InstallCore.3553
- Another well-known adware installer. It displays ads and installs new software without a user’s permission.
Statistics for malware discovered in email traffic
- Exploit.Rtf.CVE2012-0158
- Modified Microsoft Office document. Exploits the CVE2012-0158 vulnerability in order to run malicious code.
- W97M.DownLoader.2938
- A family of trojan downloaders that exploit vulnerabilities in Microsoft Office applications and can download other malware to a compromised device.
- Exploit.ShellCode.69
- Another malicious Microsoft Office Word document, which uses the CVE-2017-11882 vulnerability.
- Trojan.PWS.Stealer.19347
- A family of trojans designed to steal passwords and other confidential information stored on an infected computer.
Encoders
In August, cases involving the following ransomware were most often registered by Doctor Web’s technical support service:
Trojan.Encoder.858 —17.73%Trojan.Encoder.11464 —7.09%Trojan.Encoder.18000 —4.96%Trojan.Encoder.28004 —4.26%Trojan.Encoder.11539 —2.60%Trojan.Encoder.25574 —1.18%Trojan.Encoder.567 —1.65%
Dr.Web Security Space for Windows protects against encryption ransomware
Dangerous websites
In August 2019, Doctor Web added 204,551 URLs to the Dr.Web database of non-recommended websites.
| July 2019 | August 2019 | Dynamics |
|---|---|---|
| + 123,251 | + 204,551 | + 65.96% |
Malicious and unwanted programs for mobile devices
In August, Doctor Web experts discovered several new malware on Google Play. In early August, the Dr.Web virus database was updated to detect the
At the end of the month, Doctor Web experts discovered another banking trojan that attacked users from Brazil. The malware, dubbed
The following events are among the most notable regarding mobile security in August:
- Distribution of malware on Google Play;
- New unwanted adware modules.
Learn more about malicious and unwanted programs for mobile devices in our August overview.
Find out more with Dr.Web
19.08 Banking trojan Bolik spreads disguised as the NordVPN app
August 19, 2019
A copy of the NordVPN official website, which is a famous VPN service, was recently found by our researchers at nord-vpn[.]club. As with the original, it prompts users to download a program for using the VPN; but apart from the program itself, the fake authors distribute a dangerous banking trojan -
It has the same design, a similar domain name, and a valid SSL certificate.
According to our data, the malware campaign that uses those fake websites is primarily targeted at English-speaking audiences and was launched on August 8, 2019. However, at the time this news was released, the malicious fake NordVPN website already had thousands of visits.
On top of that, at the end of June this year, the same hacker group copied websites of office programs: invoicesoftware360[.]xyz (the original is invoicesoftware360[.]com) and clipoffice[.]xyz (the original is crystaloffice[.]com), where the
The
Earlier this year, we reported another malware campaign from the same hacker group in which they distributed
Both of these trojans are successfully detected and removed by Dr. Web products and pose no threat to our users.
#banker #banking_trojan #stealer
08.08 Doctor Web: Clicker Trojan Installed from Google Play by Some 102,000,000 Android Users
August 8, 2019
The trojan is a malicious module, which, according to Dr.Web classification, was dubbed
Once launched, the trojan sends the following information about the infected device to the C&C server:
- manufacturer and model;
- operating system version;
- user’s country of residence and default system language;
- User-Agent ID;
- mobile carrier;
- internet connection type;
- display parameters;
- time zone;
- data on application containing trojan.
In response, the server sends the necessary settings. Some functions of the malware are using reflection, and the settings contain the names of methods and classes along with the parameters for them. They are used, for example, to register a broadcast receiver and a content observer, which
Upon installation of a new application or download of an apk file by the Play Market client, the trojan sends information about this software along with some technical data about the device to the command and control server. In response,
Thus, depending on the settings of the command and control server and the instructions it sends, the trojan can not only advertise applications on Google Play, but also covertly load any websites, including advertisements (even videos) or other dubious content. For example, after installing applications with the built-in trojan, users complained about being automatically subscribed to expensive content provider services.
Fig. 1. First user comment: “After installation, it subscribes you to paid services! Be careful, do not install this application!!!”
Developer response: “What services? You're wrong.”
Second user: “After installation, I was subscribed to 5 services and now my phone account is empty.”
Fig. 2. User comment: “What kind of joke is this? Paid subscriptions to Beeline (Russian mobile carrier). I have nothing to do with Beeline.”
Fig. 3. User comment: “The moment you log in, it deducts 50 rubles. I don’t know what it is for, please explain.”
Fig. 4. User comment: “After I use the app, they subscribe me to some shady services.”
Doctor Web specialists were unable to recreate the conditions for the trojan to open such websites. However, in the case of
Doctor Web virus analysts have identified 34 applications with the embedded
| GPS Fix |
| QR Code Reader |
| ai.type Free Emoji Keyboard |
| Cricket Mazza Live Line |
| English Urdu Dictionary Offline - Learn English |
| EMI Calculator - Loan & Finance Planner |
| Pedometer Step Counter - Fitness Tracker |
| Route Finder |
| PDF Viewer - EBook Reader |
| GPS Speedometer |
| GPS Speedometer PRO |
| Notepad - Text Editor |
| Notepad - Text Editor PRO |
| Who unfriended me? |
| Who deleted me? |
| GPS Route Finder & Transit: Maps Navigation Live |
| Muslim Prayer Times & Qibla Compass |
| Qibla Compass - Prayer Times, Quran, Kalma, Azan |
| Full Quran MP3 - 50+ Audio Translation & Languages |
| Al Quran Mp3 - 50 Reciters & Translation Audio |
| Prayer Times: Azan, Quran, Qibla Compass |
| Ramadan Times: Muslim Prayers, Duas, Azan & Qibla |
| OK Google Voice Commands (Guide) |
| Sikh World - Nitnem & Live Gurbani Radio |
| 1300 Math Formulas Mega Pack |
| Обществознание - школьный курс. ЕГЭ и ОГЭ (Social Sciences - School Curriculum. State Uniform Examinations, Basic State Examinations.) |
| Bombuj - Filmy a seriály zadarmo |
| Video to MP3 Converter, RINGTONE Maker, MP3 Cutter |
| Power VPN Free VPN |
| Earth Live Cam - Public Webcams Online |
| QR & Barcode Scanner |
| Remove Object from Photo - Unwanted Object Remover |
| Cover art IRCTC Train PNR Status, NTES Rail Running Status |
Doctor Web informed Google about this trojan, and some applications we had detected were quickly removed from Google Play. Additionally, several applications have been updated, removing the malicious component. However, at the time of this publication, most applications still contained a malicious module and remained available for download.
Virus analysts recommend that developers responsibly choose modules to monetize their applications and not integrate dubious SDKs into their software. Dr.Web for Android successfully detects and removes applications that have the known modifications of
Read more about Android.Click.312.origin
#Android, #Google_Play, #clicker
05.08 July 2019 virus activity review from Doctor Web
August 5, 2019
In July Dr.Web’s statistics showed a 54.21% decrease in the number of detected threats compared to June. While the unique threats almost doubled. E-mail traffic was dominated by malware that uses Microsoft Office programs’ vulnerabilities. Adware and unwanted programs still occupy the top of all detected threats. The lead ransomware in July, Trojan.Encoder.858, accounted for 21.15% of all requests for data decryption received in support of Doctor Web.
Doctor Web’s researchers have prepared a study that describes trends in the most common threats for smart devices and the Internet of Things (IoT) as a whole. This review is based on statistical data that has been gathered from our honeypots since 2016 and intends to draw attention to the security problem in the field of IoT.
Principal trends in July
- An increase in spreading activity of unique malware
- A decline in ransomware activity
According to Doctor Web’s statistics servers
Threats of the month:
- Adware.Ubar.13
- A torrent client designed to install unwanted programs on a user’s device.
- Adware.Softobase.15
- Installation adware that spreads outdated software and changes the browser’s settings.
- Trojan.Packed.20771
- This program installs malicious browser extensions that redirect search results to different websites.
- Trojan.Winlock.14244
- A ransomware trojan that blocks or limits a user’s access to the Windows operating system and its functionalities. In order to unlock the system, a user must transfer money to the cybercriminals.
- Trojan.DownLoader29.14148
- Downloads and runs malicious software without the user’s permission.
Statistics for malware discovered in email traffic
- Exploit.Rtf.CVE2012-0158
- A modified Microsoft Office document. It exploits the CVE2012-0158 vulnerability in order to run malicious code.
- W97M.DownLoader.2938
- A family of downloader trojans that exploit vulnerabilities in Microsoft Office applications. Designed to download other malware onto a compromised computer.
- Exploit.ShellCode.69
- Another malicious Microsoft Office Word document that uses the CVE-2017-11882 vulnerability.
- JS.DownLoader.1225
- A family of malicious JavaScripts. They download and install malicious software on a computer.
Encryption ransomware
In July, the most common cases involving the following ransomware were registered by Doctor Web’s technical support service:
Trojan.Encoder.858 — 21.15%Trojan.Encoder.567 — 9.45%Trojan.Encoder.11464 — 8.01%Trojan.Encoder.25574 — 4.93%Trojan.Encoder.18000 — 3.90%Trojan.Encoder.11539 — 3.08%Trojan.Encoder.28004 — 1.85%
Dr.Web Security Space for Windows protects against encryption ransomware
Dangerous websites
During July 2019, Doctor Web added 123,251 URLs to the Dr.Web database of non-recommended sites.
| June 2019 | July 2019 | Dynamics |
|---|---|---|
| + 151 162 | + 123 251 | -18.46% |
Malicious and unwanted programs for mobile devices
In mid-July, Doctor Web researchers detected a new dangerous trojan
Among other detected threats were new trojans of the
New entries for detecting trojans of the
Among the most notable July events related to mobile malware:
- detection of a dangerous backdoor that executes malicious commands;
- detection of new malicious programs on Google Play;
- the spread of trojans designed for cyber espionage.
Find out more about malicious and unwanted programs for mobile devices in our monthly review.
Find out more with Dr.Web
05.08 Doctor Web’s overview of virus activity on mobile devices in July 2019
August 5, 2019
Last month Doctor Web reported the dangerous
PRINCIPAL TRENDS IN JULY
- Distribution of an Android backdoor that was spying on users and executing commands from cybercriminals
- Detection of new trojans and unwanted applications on Google Play
- Distribution of spyware trojans
Mobile threat of the month
In mid-July, Doctor Web virus analysts investigated the
This backdoor spied on users, sending information about their contacts, phone calls, and their device location to the attackers. It also uploaded files from devices to a remote server, as well as download and installed software. Features of
- the main malicious component of the trojan was hiding in an auxiliary module, encrypted and stored in the application’s resource directory;
- with root privileges, it could automatically install software;
- could execute shell commands, received from the C&C server.
For more information regarding
According to statistics collected by Dr.Web for Android
Android.Backdoor .682.origin- A trojan that executes cybercriminals’ commands and helps them control infected mobile devices.
Android.HiddenAds .1424- A trojan designed to display obnoxious ads. It is distributed under the guise of popular applications.
Android.RemoteCode .197.originAndroid.RemoteCode .5564Android.RemoteCode .216.origin- Malicious applications designed to download and execute arbitrary code.
Program modules that incorporate themselves into Android applications and display obnoxious ads on mobile devices:
- Adware.Zeus.1
- Adware.Gexin.3.origin
Adware.Patacore .253- Adware.Altamob.1.origin
A riskware platform that allows applications to launch APK files without installing them:
Tool.VirtualApk .1.origin
Threats on Google Play
Since the beginning of July, Doctor Web malware analysts have detected many new adware trojans of the
In addition, a new unwanted advertising module named
Cyberespionage
Last month, the Dr.Web virus database was also updated to detect the spyware trojans
The second one displayed a fraudulent message, prompting a potential victim to update a Google Play component. If the user agreed, the trojan displayed a phishing window that simulated a Google account login page.
Virus writers made a spelling mistake in the phrase “Sign in”, which could indicate a fake. If the victim did not notice this and logged into the account,
To protect your Android device from malware and unwanted programs, we recommend you install Dr.Web for Android.
Your Android needs protection.
Use Dr.Web
- The first Russian anti-virus for Android
- Over 140 million downloads—just from Google Play
- Available free of charge for users of Dr.Web home products
17.07 Risks and Threats of the Internet of Things (IoT)
August 7, 2019
Introduction
In addition to computers, smartphones, tablets, and routers, the World Wide Web now increasingly covers smart TVs, surveillance cameras, smart watches, refrigerators, cars, fitness trackers, video recorders, and even children's toys. The number of IoT devices already exceeds several billion, and this number is growing every year.
Many of them are badly or not at all protected from attacks. For example, they can be connected using simple or well-known credentials, set for hundreds of thousands of models by default. The owners either do not think about changing the factory settings, or are not able to do this due to restricted access. Cybercriminals can relatively easy access such devices by matching combinations from a dictionary (the so-called brute force method). They can also exploit the vulnerabilities of the operating systems.
Since 2016, Doctor Web have been closely following the threats of the Internet of Things. To do this, our experts have set up a network of baits, i.e. honeypots. They imitate various types of smart devices and record attempts to infect them. Honeypots cover several hardware platforms, including ARM, MIPS, MIPSEL, PowerPC, and Intel x86_64. They allow us to monitor attack vectors, detect and research new malware samples, improve the detection mechanisms, and deal with attacks more effectively.
This article dwells on the identified smart device-targeted attacks, as well as the most common IoT threats.
Statistics
When they only started the monitoring, our malware analysts recorded a relatively low activity of malware aimed at IoT devices. In the first four months of 2016, Doctor Web experts detected 729,590 attacks. However, the number grew 32-fold over a year, hitting 23,741,581. Twelve months later, the figure rose to 99,199,444. Now, the first half of the current year already saw 73,513,303 attacks, almost as many as the entire 2018.
The patterns of attack detection by honeypots is shown on the diagram:
In less than three years, the number of hacking attempts and infecting the IoT devices has increased by 13,497%.
Smart devices were targeted from IP addresses in more than 50 countries. Most attempts were made from the US, the Netherlands, Russia, Germany, Italy, the United Kingdom, France, Canada, Singapore, India, Spain, Romania, China, Poland, and Brazil.
The geographic spread of attack sources and the percentage is shown on this diagram:
After compromising the devices, cybercriminals downloaded one or several trojans onto them. The total number of unique malicious files detected by our traps during the observation period was 131,412. The detection patterns are shown below.
Smart devices run on different processor architectures, and malware often has versions for several hardware platforms at once. Among those mimicked by our honeypots, devices with ARM, MIPSEL, and MIPS processors are targeted more often than the others. This is clearly seen on the diagram:
According to statistics gathered by honeypots, the most active malware is the
Malicious code that targets smart devices falls under several basic categories according to the main features:
- DDoS trojans (such as
Linux.Mirai ); - trojans that distribute, download, and install other malware and components (such as Linux.DownLoader, Linux.MulDrop);
- trojans that enable the remote control of the infected devices (such as Linux.BackDoor);
- trojans that turn devices into proxy servers (such as
Linux.ProxyM , Linux.Ellipsis.1, Linux.LuaBot); - trojans for cryptocurrency mining (such as Linux.BtcMine);
- others.
However, most malware pose multifunctional threats, since many of them can combine several functions at once.
Threat Trends for Smart Devices
- Due to the availability of trojan source codes, such as
Linux.Mirai ,Linux.BackDoor.Fgt , Linux.BackDoor.Tsunami, and others, the number of new malware is growing. - A growing number of malicious applications in non-trivial programming languages, such as Go and Rust.
- Cybercriminals have access to information about many vulnerabilities that can be exploited to infect smart devices.
- The persisting popularity of cryptocurrency miners (mainly Monero) for IoT devices.
See the information below on the most common and notable IoT trojans.
More on IoT Threats
Linux.Mirai
After infecting the target device,
The following diagram shows the patterns of detecting active copies of this malware by honeypots:
Modifications of
Linux.Hajime
Another dangerous malware for smart devices is
The peak of
These trojans are most common in Brazil, Turkey, Vietnam, Mexico, and South Korea. The map shows the countries with the largest number of active
Linux.BackDoor.Fgt
The top five trojans designed for IoT devices include
These backdoors are distributed via the Telnet and SSH protocols, brute-forcing credentials to access the objects. The main purpose of these trojans is to perform DDoS attacks and remotely monitor the infected devices.
Linux.ProxyM
Linux.Ellipsis.1
Linux.LuaBot
Doctor Web has discovered the first versions of the
Linux.BtcMine.174
Cryptocurrency mining is one of the main reasons for infecting IoT devices for cybercriminals. The Linux.BtcMine family of trojans and other malware help them with this. One of them,
The trojan adds itself to autorun, so that rebooting of the infected device does not help. It also keeps checking whether the mining software process is active. If necessary, the trojan initiates it again, ensuring that cryptocurrency is mined at all times.
Linux.MulDrop.14
The Linux.MulDrop trojan family is used to distribute and install other malware. They work on many hardware architectures and device types. In 2017, Dr.Web virus analysts discovered the
Linux.HideNSeek
The Linux.HideNSeek malware infects smart devices, computers, and servers running Linux, integrating them into a decentralized botnet. To spread itself, the trojan generates IP addresses and attempts to connect to them using a brute-force attack, as well as a list of known combinations of authentication data. It can also exploit various hardware vulnerabilities. Linux.HideNSeek can be used to remotely control the infected devices, i.e. execute commands from cybercriminals, copy files, etc.
Linux.BrickBot
Unlike most other malware, the Linux.BrickBot trojans are not intended to bring any profit. They are vandals, designed to disable computers and smart devices. They have been known since 2017.
Linux.BrickBot trojans are trying to infect devices via the Telnet protocol, brute-forcing the credentials. Then they try to erase the data from the permanent storage modules, reset the network settings, block all connections, and perform a reboot. As a result, to restore the objects, the user would need to reflash them or even replace the components. Those trojans are rare, but extremely dangerous.
In late June 2019, the Linux.BrickBot.37 trojan, also known as Silex, became popular. It acted in a similar way as other members of the Linux.BirckBot family, i.e. erasing data from device drives, deleting the network settings, and performing a reboot, after which they could no longer correctly switch on and operate. Our traps detected over 2,600 attacks using this trojan.
Conclusion
Millions of high-tech devices, increasingly used in everyday life, are actually small computers with the corresponding flaws. They are targeted by similar attacks and have the similar vulnerabilities, but due to the nature and limitations of their form, they are far more difficult or even impossible to protect. Additionally, many users are not fully aware of the potential risks and still perceive smart devices as safe and convenient toys.
The IoT market is actively developing and largely repeating the start of the mass distribution of personal computers, when the mechanisms against threats were only being developed. While manufacturers and owners of smart devices are adapting to new realities, cybercriminals have huge opportunities to attack them. Thus, we should expect new malware for the Internet of Things in the near future.
Doctor Web continues to monitor the spread of trojans and other threats aimed at smart devices and will inform our users about all noteworthy events in this area. Dr.Web anti-virus products successfully detect and remove the malware mentioned in this review.
12.07 Doctor Web: A dangerous Android backdoor distributed via Google Play
July 12, 2019
The malware was dubbed
When launched,
Its window contains a button to “check” for updates to the OpenGL ES interface. When a user taps the window, the trojan simulates a search for new versions of OpenGL ES, but does not actually perform any checks.
When the victim closes the application window,
The backdoor communicates with several command and control servers to receive commands from the attackers and send the collected data. The cybercriminals can also control the trojan via the Firebase Cloud Messaging service.
- sending information on contacts from the contact list to the server;
- sending information on text messages to the server (the investigated version of the trojan did not have the permissions for this);
- sending the phone call history to the server;
- sending the device location to the server;
- downloading and launching an APK or a DEX file using the DexClassLoader class;
- sending the information on the installed software to the server;
- downloading and launching a specified executable file;
- downloading a file from the server;
- uploading a specified file to the server;
- transmitting information on files in the specified directory or a memory card to the server;
- executing a shell command;
- launching the activity specified in a command;
- downloading and installing an Android application;
- displaying a notification specified in a command;
- requesting permission specified in a command;
- sending the list of permissions granted to the trojan to the server;
- not letting the device go into sleep mode for a specified time period.
The trojan AES encrypts all data transmitted to the server. Each request is protected with a unique generated key based on the current time. The same key encrypts the server response.
- automatically, if the system has root access (using a shell command);
- using a system package manager (system software only);
- displaying a standard system installation dialog where the user needs to confirm the installation.
As you can see, this backdoor is a serious threat. Not only does it act as spyware, but it can also be used for phishing because it can display windows and notifications with any content. It can also download and install any other malicious application, as well as execute arbitrary code. For example, at the command of attackers,
Doctor Web has notified Google about the trojan; it was already removed from Google Play at the time of publication.
Read more about Android.Backdoor.736.origin
#Android, #backdoor, #Google_Play, #spyware
Your Android needs protection.
Use Dr.Web
- The first Russian anti-virus for Android
- Over 140 million downloads—just from Google Play
- Available free of charge for users of Dr.Web home products
03.07 June 2019 mobile malware review from Doctor Web
July 3, 2019
In mid June, Dr.Web virus analysts discovered the
PRINCIPAL TREND IN JUNE
- New malicious and unwanted applications on Google Play
Mobile threat of the month
On June 14, Doctor Web reported the
Clicking such a message would open one of the advertised websites in the browser. Many of them were fraudulent.
Features of
- it is distributed via Google Play under the guise of official software by well-known brands;
- notifications from websites, loaded by the trojan, did not stop when the trojan was removed.
According to statistics collected by Dr.Web for Android
Android.Backdoor .682.origin- A trojan that executes cybercriminals’ commands and helps them control infected mobile devices.
Android.HiddenAds .1424- A trojan designed to display obnoxious ads. It is distributed under the guise of popular applications.
Android.RemoteCode .197.originAndroid.RemoteCode .4411- Malicious applications designed to download and execute arbitrary code.
Android.Triada .3670- A multi-functional trojan that performs different malicious actions.
Program modules that incorporate themselves into Android applications and display obnoxious ads on mobile devices:
- Adware.Zeus.1
- Adware.Jiubang.2
Adware.AdPush .33.origin- Adware.Toofan.1.origin
A riskware platform that allows applications to launch APK files without installing them:
Tool.VirtualApk .1.origin
A new threat:
Adware.Patacore .253- A representative of a family of unwanted modules that display banner advertisments on Android devices.
Threats on Google Play
Along with
Virus analysts have also discovered a number of new
After installation and launch, the malware hid its icons and began displaying ads.
Another trojan found on Google Play was named
The first versions of this application were safe; but later, in versions 1.1.0 and 1.1.4, it was updated with trojan functionality.
Another downloader was named
At the end of June, the Dr.Web virus database was updated to detect the
To protect your Android device from malware and unwanted programs, we recommend you install Dr.Web for Android.
Your Android needs protection.
Use Dr.Web
- The first Russian anti-virus for Android
- Over 140 million downloads—just from Google Play
- Available free of charge for users of Dr.Web home products
03.07 June 2019 virus activity review from Doctor Web
July 3, 2019
In June, Dr.Web server statistics registered a significant increase in the number of common and unique threats compared with May. Adware and installers are still leading in the total number of detected threats; the highest malware activity has been detected in email traffic. The dangerous stealer, Trojan.PWS.Maria.3 (Ave Maria), previously used to target an oil and gas company, is active again. The Trojan.Nanocore.23 trojan with remote access that helps control an infected computer is distributed via email. A malware campaign using the Trojan.Encoder.858 encoder also took place in June.
Principal trends in June
- Increased malware distribution
- Emailing stealers and RAT Trojans
- Increased encoder activity
Threat of the month
In June, a sample of the rare Trojan.MonsterInstall Node.js trojan was studied in the Doctor Web virus lab. When launched on a victim's device, it downloads and installs the modules it needs for operation, collects information about the system, and sends it to the developer’s server. After receiving a response from the server, it adds itself to autorun and starts mining the TurtleCoin cryptocurrency. Developers of this malware use cheats for popular games from their own webpages to distribute the trojan and infect files on other similar websites.
According to Doctor Web’s statistics servers
Threats of this month:
- Adware.Ubar.13
- A torrent client that installs unwanted software on devices.
- Trojan.InstallCore.3553
- Another notorious adware installer. It displays ad banners and installs software without users’ permission.
- Trojan.Winlock.14244
- Blocks or restricts user access to the operating system and its main functions. To access the system, users are required to transfer money to the trojan developer’s account.
- Trojan.Starter.7394
- A trojan that launches other malware on a device.
- Adware.Softobase.12
- An installer that distributes outdated software. It changes browser settings.
Statistics for malware discovered in email traffic
- Exploit.Rtf.CVE2012-0158
- A modified Microsoft Office Word document that exploits the CVE2012-0158 vulnerability to execute malicious code.
- W97M.DownLoader.2938
- A family of downloader trojans that exploit vulnerabilities in Microsoft Office documents and can download other malicious programs to a compromised computer.
- Exploit.ShellCode.69
- A malicious Microsoft Office Word document that exploits the CVE-2017-11882 vulnerability.
Rising threats of the month:
- Trojan.PWS.Maria.3
- A stealer distributed by email in malicious Excel files. It uses the popular CVE-2017-11882 vulnerability to launch an executable file. It was first seen in a phishing campaign targeting the Italian oil and gas industry.
- Trojan.Nanocore.23
- A dangerous trojan with remote access. It allows cybercriminals to control an infected computer, including the camera and microphone on the device if available.
Encoders
In June, Doctor Web’s technical support service registered cases involving the following encoders:
Trojan.Encoder.858 — 30.31%Trojan.Encoder.567 — 7.02%Trojan.Encoder.11464 — 6.47%Trojan.Encoder.11539 — 3.33%Trojan.Encoder.18000 — 3.14%Trojan.Encoder.28004 — 2.59%Trojan.Encoder.25574 — 1.66%
Dr.Web Security Space for Windows protects against encryption ransomware
Dangerous websites
In June 2019, the Dr.Web database was updated with a total of 151,162 non-recommended website URLs.
| May 2019 | June 2019 | Dynamics |
|---|---|---|
| + 223,952 | + 151,162 | – 32.5% |
Malicious and unwanted programs for mobile devices
In June, Doctor Web virus analysts discovered many more malicious and unwanted programs on Google Play, including the
New trojan downloaders were also detected this month, such as the
The following mobile malware event of June was the most noteworthy:
- detection of new malware on Google Play.
Find out more about malicious and unwanted programs for mobile devices in our special overview.
Learn more with Dr.Web
19.06 New Node.js trojan threatens gamers
June 19, 2019
Yandex has submitted a rare sample of the Node.js trojan for research to Doctor Web’s virus laboratory. This malware was distributed via websites with video game cheats and has several versions and components.
When users attempt to download a cheat they download a password-protected 7zip archive to their computers. Inside there is an executable file; which upon launch, will download the requested cheats alongside other trojan’s components.
Upon launching on the victim's device, Trojan.MonsterInstall downloads and installs all the components necessary for its work, gathers information about the system its installed on, and sends it to the developer’s server. After receiving a response, it installs itself in the autorun and starts mining the TurtleCoin cryptocurrency.
Developers of this malware own several websites with game cheats, which they use to spread the malware, but they also infect other similar websites with the same trojan. According to SimilarWeb’s statistics, users browse these websites at least 127,400 times per month.
Websites owned by the malware developers:
- румайнкрафт[.]рф;
- clearcheats[.]ru;
- mmotalks[.]com;
- minecraft-chiter[.]ru;
- torrent-igri[.]com;
- worldcodes[.]ru;
- cheatfiles[.]ru.
Moreover, some cheats from the proplaying[.]ru website turned out to be infected as well.
Doctor Web’s experts recommend that users timely update the anti-virus and avoid downloading suspicious software.
We would also like to thank specialists from Yandex for providing the sample and additional information about the trojan’s points of distribution.
#JavaScript #games #mining
14.06 Doctor Web: Android users threatened by fraudulent push notifications
June 14, 2019
The Web Push technology allows websites to send notifications even when the webpage is not open in the browser if the user agrees to that. When it comes to harmless websites, this feature can be useful and convenient. For example, social media can notify the users on new messages, and news agencies can spread information about new articles. However, cybercriminals and unscrupulous advertisers can abuse this technology by spreading advertising and fraudulent notifications that come from hacked or malicious websites.
PC, laptop browsers, as well as mobile devices support these notifications. Typically, the victim gets to a questionable spamming website by clicking a unique link or an advertising banner.
When launched, the trojan loads a website in Google Chrome. The website is specified in the trojan settings. According to its parameters, it performs several redirects to pages of various affiliated programs. Each of them prompts the user to allow notifications. To be convincing, they inform the victim that it is done for verification purposes (for example, that the user is not a robot), or simply hint on which dialog button to click. Thus, they increase the number of successful subscriptions. See examples of such queries in the images below:
After activating the subscription, websites start sending the user numerous notifications of questionable content. Notifications are displayed in the status bar of the operating system even if the browser is closed and the trojan has already been removed. The contents can be anything, from false notifications about cash bonuses or transfers or new messages on social media to advertisements of horoscopes, casinos, goods and services, even various “news”.
Many of them look like real notifications of actual online services and applications installed on the device. For example, they display the logo of a bank, a dating website, a news agency, or a social network, as well as an eye-catching banner. Owners of Android devices can receive dozens of such spam messages per day.
Although these notifications also indicate the address of the website they come from, an unskilled user may fail to notice it, or not give it much thought. See below the examples of fraudulent notifications:
Having clicked a notification, the user is redirected to a website with questionable content. This may include advertising of casinos, betting shops, various Google Play applications, discounts and coupons, fake online polls and prize drawings, aggregators of partner links, and other online resources that vary depending on the country of residence of the user. See examples of such websites below:
Many of these resources are involved in well-known fraudulent schemes for stealing funds, but attackers can also launch an attack to steal confidential data at any time. For example, by sending an “important” notification via the browser on behalf of a bank or a social network. Potential victims can think the fake notification is real and tap it only to be redirected to a phishing site, where they will be prompted to indicate their name, credentials, email addresses, bank card numbers, and other confidential information.
Doctor Web experts believe that cybercriminals will make more active use of this method to promote questionable services, so mobile users should be careful while visiting websites and not subscribe to notifications if the website is unfamiliar or suspicious. If you are already subscribed to spam notifications, perform the following steps:
- Go to the Google Chrome settings, select “Site Settings” and then “Notifications”;
- On the list of websites with notifications, find the website address, tap it, and select “Clear & reset”.
Dr.Web for Android successfully detects and removes all known modifications of
Read more about Android.FakeApp.174
Your Android needs protection.
Use Dr.Web
- The first Russian anti-virus for Android
- Over 140 million downloads—just from Google Play
- Available free of charge for users of Dr.Web home products
03.06 Doctor Web’s May 2019 virus activity review
June 3, 2019
In May, Dr.Web’s statistics registered a 1.49% increase in the number of unique threats compared to April; while the number of all detected threats increased by 14.51%. Malware and unwanted programs statistics show the prevalence of adware and installers. E-mail traffic is still dominated by malware that uses the vulnerabilities of Microsoft Office programs, but in May we also registered an increase in the spread of the dangerous trojan,
Principal Trends in May
- An increase in malware spreading activity
- Trojan stealers distributed via email
Threat of the month
In May, Doctor Web’s researchers warned about unique malware for the macOS operating system–
According to Doctor Web’s statistics servers
Threats of the month:
- Adware.Softobase.12
- Installation adware that spreads outdated software and changes the browser’s settings.
- Adware.Ubar.13
- A torrent client designed to install unwanted programs on a user’s device.
- Trojan.InstallCore.3553
- Another well-known adware installer. It shows ads and installs additional programs without the user’s permission.
- Trojan.Winlock.14244
- A ransomware trojan that blocks or limits a user’s access to the Windows operating system and its functionalities. In order to unlock the system, a user must transfer money to the cybercriminals.
- Trojan.Starter.7394
- A trojan designed to launch other malicious software on a victim’s device.
Statistics for malware discovered in email traffic
Threats of the month:
- W97M.DownLoader.2938
- A family of downloader trojans that exploit vulnerabilities in Microsoft Office applications. Designed to download other malware onto a compromised computer.
- Exploit.ShellCode.69
- Another malicious Microsoft Office Word document. This one uses vulnerability called CVE-2017-11882.
- Exploit.Rtf.CVE2012-0158
- Another malicious Microsoft Office Word document. This one uses a vulnerability called CVE2012-0158.
- Exploit.Rtf.435
- A malicious Microsoft Office document that uses the CVE-2017-11882 vulnerability to download the Trojan.Fbng.8 (FormBook) trojan on users’ devices.
- Trojan.PWS.Stealer.19347
- A family of trojans designed to steal passwords and other confidential information stored on an infected computer.
Increased malware activity:
- Trojan.Inject3.15480
- Trojan also known as Trojan.Fbng.8 (FormBook). The Trojan also known as FormBook. It’s designed to steal private data, but can also receive commands from the developer’s server.
Encryption ransomware
In May, victims of the following encryption ransomware most frequently contacted Doctor Web’s technical support service:
Trojan.Encoder.18000 — 15.38%Trojan.Encoder.858 — 9.89%Trojan.Encoder.11464 — 5.49%Trojan.Encoder.25574 — 5.49%Trojan.Encoder.11539 — 5.27%Trojan.Archivelock — 5.05%Trojan.Encoder.567 — 1.98%
Dr.Web Security Space for Windows protects against encryption ransomware
Dangerous websites
During May 2019, Doctor Web added 223,952 URLs to the Dr. Web database of non-recommended sites.
| April 2019 | May 2019 | Dynamics |
|---|---|---|
| + 345 999 | + 223 952 | - 35.27% |
Malicious and unwanted programs for mobile devices
In May, malware developers again distributed various malicious programs through the Google Play service. Researchers at Doctor Web discovered a trojan,
The most noticeable May event related to mobile malware:
- The spread of new malware on Google Play;
Find out more about malicious and unwanted programs for mobile devices in our special overview.
Learn more with Dr.Web
03.06 May 2019 mobile malware review from Doctor Web
June 3, 2019
In the past month, Android devices were once again targeted by malicious programs distributed via Google Play. The list contained the
PRINCIPAL TREND IN MAY
- Distribution of malicious applications on Google Play
Mobile threat of the month
The malware detected in May included spyware trojans from the
After installation and launch, these malicious programs attempted to assign themselves as the default SMS manager, requesting permission from the user. If permission was granted,
Specific features of the malware:
- it was intended for Spanish-speaking users;
- it was based on the open source SMSdroid software with an added trojan function.
According to statistics collected by Dr.Web for Android
Android.Backdoor .682.origin- A trojan that executes cybercriminals’ commands and helps them control infected mobile devices.
Android.RemoteCode .4411Android.RemoteCode .197.origin- Malicious applications designed to download and execute arbitrary code.
Android.HiddenAds .261.originAndroid.HiddenAds .1102- Trojans designed to display intrusive advertisements. They are distributed as popular applications by other malicious programs; which in some cases, covertly install them in the system catalog.
- Adware.Zeus.1
- Adware.Jiubang.2
Adware.AdPush .33.origin- Adware.Toofan.1.origin
- Unwanted program modules that embed themselves into Android applications and display obnoxious ads on mobile devices.
Tool.VirtualApk .1.origin- A riskware platform that allows applications to launch APK files without installing them.
Adware trojan
In early May, Doctor Web analysts discovered the
The malicious program did allow users to listen to music, but then hid its icon after the first launch, preventing users from launching it again.
New malicious and unwanted applications keep appearing on Google Play. Doctor Web recommends Android device owners to install Dr.Web for Android to protect themselves.
Your Android needs protection.
Use Dr.Web
- The first Russian anti-virus for Android
- Over 140 million downloads—just from Google Play
- Available free of charge for users of Dr.Web home products
14.05 A new threat for the macOS system spreads disguised as WhatsApp
May 14, 2019
Our researchers discovered the new threat on April 29. This malware was named
When users open one of those websites, the embedded code detects the visitor’s operating system and depending on that uploads either the backdoor or a trojan. If a visitor uses macOS, their device gets infected with
According to our information, the website spreading
06.05 Doctor Web’s April 2019 virus activity review
May 6, 2019
In April, Dr.Web’s statistics showed a 39.44% decrease in the number of unique threats compared to March; while the number of all detected threats decreased by 14.96%. E-mail traffic is still dominated by malware that uses the vulnerabilities of Microsoft Office programs. The previous month’s malware and unwanted programs trend also continues. The malicious browser extensions, unwanted programs and adware account for the majority of detected threats.
The number of non-recommended websites increased by 28.04%. One such website was used for spreading a banking trojan and stealer, along with the video and sound editing software, which we reported at the beginning of the month. Additionally, Doctor Web’s researchers warned about the phishing newsletter sent from official e-mails of large international companies.
Principal trends in April
- A decline in malware spreading activity
- An increase in the number of domain names added to the Dr.Web database of non-recommended websites
Threat of the month
Doctor Web researchers warned users about a compromised, popular website, which distributes video and sound editing software. Hackers hijacked download links on the website causing visitors to download the dangerous banking trojan, Win32.Bolik.2, and the Trojan.PWS.Stealer (KPOT) stealer, along with the editing software. Trojans of this family are designed to perform web injections, intercept traffic, log keys and steal information from different bank-client systems. Additionally, the attackers later changed the Win32.Bolik.2 trojan to another malware, the Trojan.PWS.Stealer (KPOT Stealer). This trojan steals information from browsers, Microsoft accounts, several messengers and some other programs.
According to Doctor Web’s statistics servers
Threats of the month:
- Adware.Softobase.12
- Installation adware that spreads outdated software and changes the browser’s settings.
- Adware.Ubar.13
- A torrent client designed to install unwanted programs on a user’s device.
- Trojan.Starter.7394
- Trojan designed for launching other malicious software on a victim’s device.
Adware.Downware.19283 - The sort of adware that is usually distributed as an installer for pirated software. Upon installation, it changes a browser’s settings and may install other software without asking for the user’s permission.
Statistics for malware discovered in email traffic
- Exploit.ShellCode.69
- A modified Microsoft Office document. It exploits the CVE-2017-11882 vulnerability in order to run malicious code.
- Exploit.Rtf.CVE2012-0158
- Another malicious Microsoft Office Word document. This one uses a vulnerability called CVE2012-0158.
- JS.DownLoader.1225
- A variety of malicious code written in JavaScript and designed to download and install other malware on a computer.
- Trojan.Encoder.26375
- A malicious program from the encryption ransomware family. This trojan encrypts files and demands a ransom for data decryption.
- W97M.DownLoader.2938
- A family of downloader Trojans that exploit vulnerabilities in office applications. Designed to download other malware onto a compromised computer.
Encryption ransomware
In April, Doctor Web’s technical support was most frequently contacted by victims of the following encryption ransomware:
Trojan.Encoder.858 — 17.95%Trojan.Encoder.18000 — 14.65%Trojan.Encoder.11464 — 7.69%Trojan.Archivelock — 5.49%Trojan.Encoder.567 — 3.85%Trojan.Encoder.11539 — 3.85%Trojan.Encoder.25574 — 2.75%
Dr.Web Security Space for Windows protects against encryption ransomware
Dangerous websites
During April 2019, Doctor Web added 345,999 URLs to the Dr.Web database of non-recommended websites.
| March 2019 | April 2019 | Dynamics |
|---|---|---|
| + 270 227 | + 345 999 | + 28.04% |
Malicious and unwanted programs for mobile devices
In April, Doctor Web reported the dangerous trojan,
Also during April, new malware such as trojan downloaders and clickers were discovered in the Google Play catalogue, as well as new credential stealers for Instagram, called Android.PWS.Instagram.4 and Android.PWS.Instagram.5.
Additionally, new banking trojans threatened Android smartphone and tablet users. Among them were new versions of the
Among the most noticeable April events related to mobile malware were:
- the spread of malicious programs on Google Play;
- the distribution of banking trojans.
Learn more with Dr.Web
30.04 April 2019 mobile malware review from Doctor Web
April 30, 2019
In April Doctor Web reported on the
PRINCIPAL TRENDS IN APRIL
- The detection of new malicious applications on Google Play
- Distribution of banking trojans
Mobile threat of the month
In early April Doctor Web reported on a dangerous trojan,
According to statistics collected by Dr.Web for Android
Android.Backdoor .682.origin- A trojan that executes cybercriminals’ commands and helps them control infected mobile devices.
Android.HiddenAds .1102Android.HiddenAds .261.origin- Trojans designed to display intrusive advertisements. They are distributed as popular applications by other malicious programs; which in some cases, covertly install them in the system catalog.
Android.RemoteCode .4411- A malicious application designed to download and execute arbitrary code.
Android.DownLoader .812.origin- A Trojan that downloads other malicious applications.
- Adware.Zeus.1
Adware.AdPush .33.origin- Adware.Toofan.1.origin
- Adware.Jiubang.2
- Unwanted program modules that incorporate themselves into Android applications and display obnoxious ads on mobile devices.
Tool.VirtualApk .1.origin- A riskware platform that allows applications to launch APK files without installing them.
Banking trojans for Android
Over the past month, banking trojans threatened users of Android devices. In late April Doctor Web virus analysts detected new modifications of the
These modifications of
These trojan modifications are able to intercept and send SMS on hackers’ command, show phishing windows, make calls, and listen to the surrounding environment using the device’s built-in microphone. On top of that, they can control smartphones and tablets; for example, they can turn on Wi-Fi, connect to the Internet via a mobile network, block the screen, and so on.
In addition, new downloaders from the
Trojans on Google Play
Aside from downloaders, other trojans, such as
This malicious software opens hidden activity with several WebView elements. A website is loaded on one of them to get commands. Hackers use other WebViews to load different JavaScript and specified websites where they simulate user actions. On these websites, they click links and banner ads to drive up hit and click counters. Hackers can also subscribe mobile device owners to paid services by clicking on special buttons if service providers support the Wap-Click technology of fast subscription. To make themselves more difficult to delete, trojans hide their icons from the operating system’s main screen.
In late April, new entries were added to the Dr.Web virus database to detect the trojans
Other threats
The
To distribute itself among a greater number of users, the trojan sent SMS with a link to the download page of its copy to all contacts of the infected device. The main goal of
Users of Android devices are threatened by different trojan applications that are distributed not only via malicious websites, but also via the official Google Play store. To protect smartphones and tablets, we recommend that you install Dr.Web for Android.
Your Android needs protection.
Use Dr.Web
- The first Russian anti-virus for Android
- Over 140 million downloads—just from Google Play
- Available free of charge for users of Dr.Web home products
11.04 The official website of a popular video editing software was infected with a banking trojan
April 11, 2019
VSDC is a popular, free software for editing video and sound. According to SimilarWeb statistics, monthly visits of the VSDC website come close to 1.3 million users. However, the security measures taken by the website’s developers often turn out to be insufficient for such traffic volume, which endangers a large number of people.
Last year unknown hackers gained access to the administrative side of the VSDC website and replaced the download links. Instead of the editing software, users received a JavaScript file, which then downloaded the AZORult Stealer, X-Key Keylogger and the DarkVNC backdoor. The VSDC team stated that they closed the vulnerability, but recently we received information about additional cases of infection through their website.
According to our researchers, the VSDC developer’s computer has been compromised several times since the previous incident. One such hack led to the website being compromised again between 2019-02-21 and 2019-03-23. This time hackers took a different approach to spreading the malware: they embedded a malicious JavaScript code inside the VSDC website. Its task was to determine the visitor’s geolocation and replace download links for users from the UK, USA, Canada and Australia. Native website links were substituted by links to another compromised website:
- https://thedoctorwithin[.]com/video_editor_x64.exe
- https://thedoctorwithin[.]com/video_editor_x32.exe
- https://thedoctorwithin[.]com/video_converter.exe
Users that downloaded software from that website also received a dangerous banking trojan, Win32.Bolik.2. Same as its predecessor,
Additionally, on 22.03.2019 the attackers changed the Win32.Bolik.2 trojan to another malware, a variation of the Trojan.PWS.Stealer, KPOT Stealer. This trojan steals information from browsers, Microsoft accounts, several messengers and some other programs. In just one day it was downloaded by 83 users.
The VSDC developers were notified about the threat; and at the present moment, download links were restored to the originals. However, Doctor Web experts recommend that all VSDC users check their devices with our antivirus.
#banker #banking_trojan #virus
03.04 Doctor Web’s March 2019 virus activity review
April 3, 2019
In March, Doctor Web’s analysts finished studying the trojan that threatened the Counter-Strike 1.6 players. Included in the main threats identified in March is a dynamic in how principal threats compare to the previous month’s. For example, the activity of Trojan.MulDrop8.60634 has decreased three times since February, while the number of threats like Trojan.Packed.24060 and Adware.OpenCandy.243 increased in March. Additionally, the number of domain names added to Dr.Web’s database of non-recommended and dangerous websites has decreased. Doctor Web has also received more data decoding requests from ransomware victims.
Principal trends in March
- The rise of malicious browser extensions
- A spike in adware activity and unwanted programs
- An increase in the number of applications submitted by ransomware victims
Threat of the month
In March Doctor Web’s analysts published a thorough study of the Belonard trojan, which exploits zero-day vulnerabilities in the Counter-Strike 1.6 Steam client. Once on the victim’s computer, the trojan replaces the client files and creates proxies to infect other users. The number of malicious CS 1.6 servers created by the Belonard trojan rose to 39% of all official servers registered on Steam. Now all modules of the Belonard Trojan have been successfully detected by Dr.Web’s products and no longer pose a threat to our customers.
According to Doctor Web’s statistics servers
Threats of the month:
Trojan.Packed.24060 - This program installs malicious browser extensions that redirect search results to different websites.
- Adware.Softobase.12
- Installation adware that spreads outdated software and changes the browser’s settings. Installation adware that spreads outdated software and changes the browser’s settings.
Adware.OpenCandy.243 - A family of applications designed to install other software in the system. These programs are used by free software developers in order to monetize their apps. A family of applications designed to install other software in the system. These programs are used by developers of free software in order to monetize their apps.
- Adware.Ubar.13
- A torrent client designed to install unwanted programs on a user’s device.
- Trojan.Starter.7394
- A trojan designed to launch other malicious software on a victim’s device.
Decreased amount of threats from:
- Trojan.MulDrop8.60634
- Installs malware in a system. All the components necessary for installation are usually stored inside the MulDrop itself.
- Adware.Downware.19283
- The sort of adware that is usually distributed as an installer for pirated software. Upon installation, it changes a browser’s settings and may install other software without asking for the user’s permission.
Statistics for malware discovered in email traffic
- Exploit.ShellCode.69
- Another malicious Microsoft Office Word document. This one uses vulnerability called CVE-2017-11882.
- W97M.DownLoader.2938
- A family of downloader Trojans that exploit vulnerabilities in office applications. Designed to download other malware onto a compromised computer.
- Exploit.Rtf.CVE2012-0158
- A modified Microsoft Office document. It exploits the CVE2012-0158 vulnerability in order to run malicious code.
Trojan.SpyBot.699 - A multi-module banking trojan. It allows cybercriminals to download and launch various applications on an infected device and to execute their commands. The trojan is intended to steal money from bank accounts.
- JS.DownLoader.1225
- A variety of malicious code written in JavaScript and designed to download and install other malware on a computer.
Trojan.PWS.Stealer.23680 - A family of Trojans designed to steal passwords and other confidential information stored on an infected computer.
Encryption ransomware
In March, Doctor Web’s technical support was most often contacted by victims of the following encryption ransomware:
Trojan.Encoder.858 —28.39%;Trojan.Encoder.18000 —9.54%;Trojan.Encoder.27210 —4.25%;Trojan.Encoder.11464 —4.14%;Trojan.Encoder.11539 —4.14%;Trojan.Encoder.567 —2.76%;Trojan.Archivelock —2.34%
Dr.Web Security Space for Windows protects against encryption ransomware
Dangerous websites
During March 2019, Doctor Web added 270,227 URLs into the Dr.Web database of non-recommended sites.
| February 2019 | March 2019 | Dynamics |
|---|---|---|
| + 288 159 | + 270 227 | - 6.63% |
Malicious and unwanted programs for mobile devices
In the past month Doctor Web specialists found many new malicious programs on Google Play. Among them was the infamous family of
Beyond that, more trojans of the
Additionally, hackers continued to spread banking trojans. Doctor Web reported on one such trojan at the end of March. The malicious software known as Flexnet steals money from banking accounts and mobile phones balance.
At the end of the month, Doctor Web’s researchers disclosed details about the vulnerability in the popular Android browser, “UC Browser”, which was able to download plug-ins bypassing the Google Play servers. This vulnerability could have been exploited by hackers in order to spread malware.
Among the most noticeable events related to mobile malware in March:
- the detection of a vulnerability in the UC Browser;
- the spread of malicious programs on Google Play.
- the distribution of banking trojans.
Find out more about malicious and unwanted programs for mobile devices in our special overview.
Find out more with Dr.Web
03.04 March 2019 mobile malware review from Doctor Web
April 3, 2019
In March, Doctor Web reported a vulnerability in the mobile app, UC Browser, which can download new modules from third-party server. Cybercriminals could use this feature to infect Android smartphones and tablets. Additionally, malware analysts shared information about the Flexnet trojan that stole money from bank cards and mobile credit accounts. During March, other malicious applications were detected on Google Play.
PRINCIPAL TRENDS IN MARCH
- Detection of a vulnerability in UC Browser
- Distribution of banking trojans
- The detection of new malicious programs on Google Play
Mobile threat of the month
At the end of March, Doctor Web reported a vulnerability in the UC Browser app for Android, discovered by our malware analysts. This program downloaded additional plugins, bypassing Google Play servers and thus violating Google’s policies. Cybercriminals could interfere with the download and make the browser download and launch malicious files instead. Over 500,000,000 mobile users have been exposed to threats. See the details of this vulnerability in our virus library.
According to statistics collected by Dr.Web for Android
Android.Backdoor .682.originAndroid.Backdoor .2080- Trojans that execute commands from attackers and allow them to control infected mobile devices.
Android.RemoteCode .197.origin- Malicious application designed to download and execute arbitrary code.
Android.HiddenAds .659Android.HiddenAds .261.origin- Trojans designed to display intrusive advertisements. They are distributed as popular applications by other malicious programs, which in some cases covertly install them in the system catalog.
- Adware.Zeus.1
- Adware.Jiubang.2
- Adware.Toofan.1.origin
- Adware.Gexin.3.origin
- Unwanted program modules that incorporate themselves into Android applications and display obnoxious ads on mobile devices.
Tool.VirtualApk .1.origin- A potentially dangerous software platform that allows applications to run APK files without installing them.
Banking trojans for Android
Cybercriminals continue to distribute banking trojans based on the source code of the
Threats on Google Play
In March, we found more malicious programs on Google Play, including the trojans
In addition, our malware analysts identified more trojans of the
After installation and launch, they hide their icons and begin constantly overlaying ads over program windows and the operating system interface, making it difficult to work with the Android devices.
Users of Android devices are threatened by trojans not only distributed via malicious websites, but also via the official Google Play store. To protect smartphones and tablets, we recommend that you install Dr.Web for Android.
Your Android needs protection!
Use Dr.Web
- First Russian anti-virus for Android
- Over 140 million downloads—just from Google Play!
- Available free of charge for users who purchase Dr.Web home products
21.03 Doctor Web: Android banker Flexnet uses computer games to steal money from users
March 21, 2019
Flexnet is based on the GM Bot Trojan, researched by Doctor Web malware analysts back in February 2015. The malicious app’s source code was published in 2016. Soon, the first versions of Flexnet were created thanks to everything achieved by GM Bot’s authors. Attacks against Android mobile devices using this Trojan continue happening to this day.
The cybercriminals distribute Flexnet Trojans via spam texting. In the messages, the potential victims are encouraged to follow the link and download some program or game. The Trojan disguises itself as applications such as Drug Vokrug (a dating and chatting app), GTA V, tools for Instagram and VKontakte account promotion, as well as other software.
Fig. 1. Example of software icons used by the Trojan.
When launched, the Trojan requests admin privileges, displaying a standard dialog box. If the victim grants the permissions, the Trojan falsely reports an error and removes its icon from the home screen to hide from the user so as not to be removed.
Fig. 2-3. An attempt to request admin privileges and a false error message.
Compared with modern Android bankers, Flexnet’s capabilities are quite limited. The Trojan is capable of hooking and sending text messages, as well as performing USSD requests. However, these functions are enough to steal money using various fraudulent means.
One of them is topping up the in-game accounts of popular computer games via SMS. First, the Trojan checks a user's bank card balance by sending an SMS request to the mobile banking service system. Then it hooks the response message with the account balance and transmits this information to cybercriminals. Next, the attackers request to top up the gaming account, indicating the victim’s phone number and the amount to transfer. The user then receives a text message with a verification code. The Trojan intercepts this message, transfers its contents to the cybercriminals, and finally they give the Trojan a command to send the verification code to confirm the transaction.
See below the example of money theft using this method:
Fig. 4. Top-up of Wargaming accounts. The Trojan hooks the messages from a bank’s billing system and, at the command of cybercriminals, sends a reply with a payment confirmation code to transfer RUB 2,475.
Other fraudulent schemes are implemented in a similar way. For example, the cybercriminals can pay for hosting using money from their victims’ mobile credit. To do this, the Trojan sends text messages with the necessary parameters to certain phone numbers. See below the example of such payment.
Fig. 5. Trojan texting the transfer amount (RUB 299 and RUB 1,000) and account names on the jino.ru hosting service to top up the balance of cybercriminals.
The attackers can steal money even if the victim does not have enough on the balance. They use the credit options provided by mobile carriers. As in other cases, the cybercriminals instruct the Trojan to send a text with the necessary parameters. Owners of the infected devices are oblivious to the money loss because the banker hides all suspicious messages.
Fig. 6. The fraudsters attempt to pay for the My.com service, but the amount on the victim’s mobile credit is not enough to do it. They command the Trojan to use the credit option and successfully perform the transfer. Thus, the device owner is left with a phone debt.
Additionally, the Trojan can transfer money from victims’ bank cards to cybercriminals’ accounts. However, financial institutions use specific algorithms to track suspicious transactions, so the probability of them being blocked is very high, while the above schemes allow the fraudsters to steal relatively small amounts for a long time and go unnoticed.
Another feature of Flexnet involves stealing confidential data. The cybercriminals can get ahold of accounts on social media, online stores, the websites of mobile carriers, and other online services. Knowing the victim’s mobile phone number, the cybercriminals try to log into their account. The service sends a text with a one-time verification code, which the Trojan hooks and sends to the attackers.
Fig. 7. Texts with one-time access codes of various services, hooked by the Trojan.
If the number used on the infected device is not registered with the target services, the cybercriminals can use it to register a new account. In the future, those compromised and newly created accounts can enter the black market and then be used to send spam and arrange phishing attacks.
With the assistance of the REG.ru registrar, several Flexnet command and control servers were blocked, and the cybercriminals no longer control some of the infected devices.
Doctor Web reminds owners of Android smartphones and tablets that software and games should only be installed from reliable sources such as Google Play. You are strongly advised to pay attention to the reviews of other users and use software from trusted developers.
Dr. Web for Android detects all known modifications of the Flexnet Trojan as parts of the
#Android, #banking_Trojan, #two_factor_authentication
Your Android needs protection
Use Dr.Web
- The first Russian Anti-virus for Android
- More than 140 million downloads on Google Play alone
- Free for users of Dr.Web home products
11.03 Study of the Belonard Trojan, exploiting zero-day vulnerabilities in Counter-Strike 1.6
March 11, 2019
Introduction
The game Counter-Strike 1.6 was released by Valve Corporation back in 2000. Despite its rather considerable age, it still has a large fan base. The number of players using official CS 1.6 clients reaches an average of 20,000 people online, while the overall number of game servers registered on Steam exceeds 5,000. Selling, renting, and promoting game servers is now deemed an actual business, and these services can be purchased on various websites. For example, raising a server’s rank for a week costs about 200 rubles, which is not much, but a large number of buyers make this strategy a rather successful business model.
Many owners of popular game servers also raise money from players by selling various privileges such as protection against bans, access to weapons, etc. Some server owners advertise themselves independently, while others purchase server promotion services from contractors. Having paid for a service, customers often remain oblivious as to how exactly their servers are advertised. As it turned out, the developer nicknamed, “Belonard”, resorted to illegal means of promotion. His server infected the devices of players with a Trojan and used their accounts to promote other game servers.
The owner of the malicious server uses the vulnerabilities of the game client and a newly written Trojan as a technical foundation for their business. The Trojan is to infect players’ devices and download malware to secure the Trojan in the system and distribute it to devices of other players. For that, they exploit Remote Code Execution (RCE) vulnerabilities, two of which have been found in the official game client and four in the pirated one.
Once set up in the system, Trojan.Belonard replaces the list of available game servers in the game client and creates proxies on the infected computer to spread the Trojan. As a rule, proxy servers show a lower ping, so other players will see them at the top of the list. By selecting one of them, a player gets redirected to a malicious server where their computer become infected with Trojan.Belonard.
Using this pattern, the developer of the Trojan managed to create a botnet that makes up a considerable part of the CS 1.6 game servers. According to our analysts, out of some 5,000 servers available from the official Steam client, 1,951 were created by the Belonard Trojan. This is 39% of all game servers. A network of this scale allowed the Trojan’s developer to promote other servers for money, adding them to lists of available servers in infected game clients.
We previously reported a similar incident with CS 1.6, where a Trojan could infect a player’s device via a malicious server. However, a user then had to approve the download of malicious files, while this time, a Trojan attacks devices unnoticed by the users. Doctor Web have informed Valve about these and other vulnerabilities of the game, but as of now, there is no data on when the vulnerabilities will be fixed.
Infection of a client
Trojan.Belonard consists of 11 components and operates under different scenarios, depending on the game client. If the official client is used, the Trojan infects the device using an RCE vulnerability, exploited by the malicious server, and then establishes in the system. A clean pirated client is infected the same way. If a user downloads an infected client from the website of the owner of the malicious server, the Trojan’s persistence in the system is ensured after the first launch of the game.
Let us touch upon the process of infecting a client in more detail. A player launches the official Steam client and selects a game server. Upon connecting to a malicious server, it exploits an RCE vulnerability, uploading one of the malicious libraries to a victim’s device. Depending on the type of vulnerability, one of two libraries will be downloaded and executed: client.dll (Trojan.Belonard.1) or Mssv24.asi (Trojan.Belonard.5).
Once on the victim’s device, Trojan.Belonard.1 deletes any .dat files that are in the same directory with the library process file. After that, the malicious library connects to the command and control server, fuztxhus.valve-ms[.]ru:28445, and sends it an encrypted request to download the file Mp3enc.asi (Trojan.Belonard.2). The server then sends the encrypted file in response.
This is a screenshot of a decrypted data packet from the server:
Installation into the client
Infection of the official or pirated client is performed using the specific feature of the Counter-Strike client. When launched, the game automatically downloads any ASI files from the game root.
The client downloaded from the website of the Trojan’s developer is already infected with Trojan.Belonard.10 (the file name is Mssv36.asi), but the trojan installs in the system differently than in clean versions of game clients. After installation of an infected client, Trojan.Belonard.10 checks for one of its components in the user's OS. If there is none, it drops the component from its body and downloads Trojan.Belonard.5 (the file name is Mssv24.asi) into its process memory. Like many other modules, Trojan.Belonard.10 changes the date and time of creation, modification, or access to the file, so that the Trojan’s files cannot be found by sorting the contents of the folder by creation date.
After installing a new component, Trojan.Belonard.10 remains in the system and acts as a protector of the client. It filters requests, files, and commands received from other game servers and transfers data about attempted changes to the client to the Trojan developer’s server.
Trojan.Belonard.5 receives information about the running process and the paths to the module in DllMain. If the process name is not rundll32.exe, it starts a separate threads for subsequent actions. In the running thread, Trojan.Belonard.5 creates the key [HKCU\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers] '<path to the executable file process>', assigns it the value “RUNASADMIN”, and checks the module name. If it is not “Mssv24.asi”, it copies itself in the “Mssv24.asi” module, deletes the version with a different name, and launches Trojan.Belonard.3 (the file name is Mssv16.asi). If the name matches, it immediately downloads and launches the Trojan.
Embedment in a clean client is performed by Trojan.Belonard.2. After download, it checks in DllMain the name of the process in which client.dll(Trojan.Belonard.1) is loaded. If it is not rundll32.exe, it creates a thread with the key [HKCU\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers] '<path to the executable file process>’, and assigns it the value “RUNASADMIN”. After that, it collects data about the user’s device and extracts information from the DialogGamePage.res file. Then it sends the collected data to the server of the Trojan developer in an encrypted format.
Collected system data structure:
In response, the server sends the Mssv16.asi file,(Trojan.Belonard.3). Meta-information about the new module is saved in the file DialogGamePage.res, while Trojan.Belonard.5 is removed from the user’s device.
Installation in the system
The process of ensuring persistence in the system starts with Trojan.Belonard.3. Once on the device, it removes Trojan.Belonard.5 and checks the process, in the context of which it runs. If it is not rundll32.exe, it saves two other Trojans to %WINDIR%\System32\: Trojan.Belonard.7 (the file name is WinDHCP.dll) and Trojan.Belonard.6 (davapi.dll). At the same time, unlike Trojan.Belonard.5, the seventh and sixth ones are stored within the Trojan in a disassembled form. The bodies of these two Trojans are divided into blocks of 0xFFFC bytes (the last block may be smaller). When saved to disk, the Trojan assembles the blocks together to obtain working files.
Having assembled the Trojans, Trojan.Belonard.3 creates a WinDHCP service to run WinDHCP.dll (Trojan.Belonard.7) in the context of svchost.exe. Depending on language settings, the OS uses texts in Russian or English to set service parameters.
WinDHCP service parameters:
- Service name: “Windows DHCP Service” or “Служба Windows DHCP”;
- Description: “Windows Dynamic Host Configuration Protocol Service” or “Служба протокола динамической настройки узла Windows”;
- The ImagePath parameter is specified as “%SystemRoot%\System32\svchost.exe -k netsvcs”, while ServiceDll specifies the path to the Trojan library.
After that, Trojan.Belonard.3 regularly checks if the WinDHCP service is running. If it is not running, it reinstalls the service.
Trojan.Belonard.7 is WinDHCP.dll with a ServiceMain exported function, installed on the infected device by an autorun service. Its purpose is to check the “Tag” parameter in the registry of the key “HKLM\\SYSTEM\\CurrentControlSet\\Services\\WinDHCP”. If it is set to 0, Trojan.Belonard.7 loads the davapi.dll library (Trojan.Belonard.6) and calls its exported function, passing a pointer to a SERVICE_STATUS as an argument, which reflects the status of the WinDHCP service. Then it waits for 1 second and checks the “Tag” parameter once more. If the value does not match 0, Trojan.Belonard.7 loads the spwinres.dll library (Trojan.Belonard.4), which is an older version of Trojan.Belonard.6. After that, it calls spwinres.dll’s exported function, passing a pointer to a SERVICE_STATUS as an argument, which reflects the status of the WinDHCP service.
The Trojan repeats these actions every second.
WinDHCP service parameters from our customer’s report:
<RegistryKey Name="WinDHCP" Subkeys="1" Values="11">
<RegistryKey Name="Parameters" Subkeys="0" Values="1">
<RegistryValue Name="ServiceDll" Type="REG_EXPAND_SZ" SizeInBytes="68" Value="%SystemRoot%\system32\WinDHCP.dll" />
</RegistryKey>
<RegistryValue Name="Type" Type="REG_DWORD" Value="32" />
<RegistryValue Name="Start" Type="REG_DWORD" Value="2" />
<RegistryValue Name="ErrorControl" Type="REG_DWORD" Value="0" />
<RegistryValue Name="ImagePath" Type="REG_EXPAND_SZ" SizeInBytes="90" Value="%SystemRoot%\System32\svchost.exe -k netsvcs" />
<RegistryValue Name="DisplayName" Type="REG_SZ" Value="Служба Windows DHCP" />
<RegistryValue Name="ObjectName" Type="REG_SZ" Value="LocalSystem" />
<RegistryValue Name="Description" Type="REG_SZ" Value="Служба протокола динамической настройки узла Windows" />
<RegistryValue Name="Tag" Type="REG_DWORD" Value="0" />
<RegistryValue Name="Data" Type="REG_BINARY" SizeInBytes="32" Value="f0dd5c3aeda155767042fa9f58ade24681af5fbd45d5df9f55a759bd65bc0b7e" />
<RegistryValue Name="Scheme" Type="REG_BINARY" SizeInBytes="16" Value="dcef62f71f8564291226d1628278239e" />
<RegistryValue Name="Info" Type="REG_BINARY" SizeInBytes="32" Value="55926164986c6020c60ad81b887c616db85f191fda743d470f392bb45975dfeb" />
</RegistryKey>
Before the startup of all functions, Trojan.Belonard.6 checks the “Tag” and “Data” parameters in the WinDHCP service registry. The “Data” parameter must contain an array of bytes used to generate the AES key. If there is none, the Trojan uses the openssl library to generate 32 random bytes, which will later be used to generate the encryption key. After that, the Trojan reads the “Info” and “Scheme” parameters of the WinDHCP service. In “Scheme”, the Trojan stores 4 parameters, encrypted with AES. “Info” stores the SHA256 hash of the list of installed programs.
Having collected this data, Trojan.Belonard.6 decrypts the address of the C&C server — oihcyenw.valve-ms[.]ru — and tries to establish a connection. If it fails, the Trojan uses DGA to generate domains in the .ru zone. However, an error in the domain generation code prevents the algorithm from creating the domains intended for the Trojan developer.
After sending the encrypted information, the Trojan receives a response from the server, decrypts it and saves the transferred files to %WINDIR%\System32\. This data contains the Trojans wmcodecs.dll (Trojan.Belonard.8) and ssdp32.dll (Trojan.Belonard.9).
Apart from the above functions, Trojan.Belonard.6 also triggers the following actions at random intervals:
- Search for running Counter-Strike clients;
- Launch of Trojan.Belonard.9;
- Connecting to the developer’s server.
Periods can be changed at the command from the C&C server.
Payload and distribution
Belonard also installs in new game clients found on the device. This is performed by Trojan.Belonard.8 and Trojan.Belonard.6.
Trojan.Belonard.8 initializes a container with data about Counter-Strike 1.6 client file names and their SHA256 hashes. Trojan.Belonard.6 starts to search for installed game clients. If the Trojan finds a running client, it checks the list of files and their SHA256 hashes against the data received from Trojan.Belonard.8. If it does not match, Trojan.Belonard.8 ends the clean client process, and then drops the file hl.exe to the game directory. This file is only needed to display the following error message upon loading the game “Could not load game. Please try again at a later time.” This allows the Trojan to gain time for replacing the files of the client. When it is done, the Trojan replaces hl.exe with a working file and the game starts without an error.
The Trojan deletes the following client files:
<path>\\valve\\dlls\\*
<path>\\cstrike\\dlls\\*
<path>\\valve\\cl_dlls\\*
<path>\\cstrike\\cl_dlls\\*
<path>\\cstrike\\resource\\*.res
<path>\\valve\\resource\\*.res
<path>\\valve\\motd.txt
<path>\\cstrike\\resource\\gameui_english.txt
<path>\\cstrike\\resource\\icon_steam.tga
<path>\\valve\\resource\\icon_steam.tga
<path>\\cstrike\\resource\\icon_steam_disabled.tga
<path>\\valve\\resource\\icon_steam_disabled.tga
<path>\\cstrike\\sound\\weapons\\fiveseven_reload_clipin_sliderelease.dll
<path>\\cstrike_russian\\sound\\weapons\\fiveseven_reload_clipin_sliderelease.dll
<path>\\cstrike_romanian\\sound\\weapons\\fiveseven_reload_clipin_sliderelease.dll
Depending on the OS language settings, the Trojan downloads English or Russian game menu files.
Modifications to the game client contain files of Trojan.Belonard.10, as well as an advertisement of the Trojan developer’s websites. When a player starts the game, their nickname will change to the address of the website where an infected game client can be downloaded, while the game menu will show a link to the VKontakte CS 1.6 community with more than 11,500 subscribers.
The Trojan’s payload is to emulate a number of fake game servers on the user’s device. To do this, the Trojan transfers information about the game client to the developer’s server and receives encrypted parameters for creating fake servers in response.
Trojan.Belonard.9 creates proxy game servers and registers them with the Steam API. Game server ports are defined sequentially from the lowest value of game_srv_low_port specified by the server. The server also sets the value for fakesrvbatch, which determines the number of protocol emulator threads. The emulator supports basic requests to a Goldsource engine game server: A2S_INFO, A2S_PLAYER, A2A_PING, receiving the “challenge steam/non-steam client” request, as well as the “connect” command of the Counter-Strike client. After responding to the “connect” command, the Trojan tracks the first and the second packet from the client.
After exchanging packets, the Trojan sends the last packet, svc_director, with a DRC_CMD_STUFFTEXT type of message, which enables the execution of arbitrary commands of the Counter-Strike client. This issue has been known to Valve since 2014 and has not been fixed yet. Thus, attempting to connect to the game proxy server, the player will be redirected to the malicious server. After that, the Trojan developer will be able to exploit the vulnerabilities of the user's game client to install Trojan.Belonard.
It is worth mentioning that Trojan.Belonard.9 contains a bug, which allows us to detect fake game servers, created by the Trojan. Moreover, some of those servers can be identified by the name: in the “Game” column, the fake server will have a string “Counter-Strike n”, where n can be a number from 1 to 3.
Encryption
Belonard uses encryption to store data in the Trojan and communicate with the server. It stores the encrypted name of the C&C server, as well as some lines of code and library names. There is one encryption algorithm with different constants for individual modules of the Trojan. The older versions of the Trojan used another algorithm to encrypt lines of code.
Decryption algorithm in Trojan.Belonard.2:
def decrypt(d):
s = ''
c = ord(d[0])
for i in range(len(d)-1):
c = (ord(d[i+1]) + 0xe2*c - 0x2f*ord(d[i]) - 0x58) & 0xff
s += chr(c)
return s
Decryption algorithm from the older versions:
def decrypt(data):
s = 'f'
for i in range(0,len(data)-1):
s += chr((ord(s[i]) + ord(data[i]))&0xff)
print s
Belonard uses a more sophisticated encryption to exchange data with the command and control server. Before sending the information to the server, the Trojan turns it into a different structure for each module. Collected data is encrypted by RSA using the public key stored within the malware. However, it must be mentioned that RSA is used for encryption of first 342 bytes of data only. If a module sends a packet of data larger than 342 bytes, only this much will be encrypted by RSA; the rest of the data will be encrypted by AES. The data for AES key is stored in a part, encrypted by RSA key. The data for AES key is stored in a part, encrypted by RSA key, along with the data needed for generating AES key, which is used by C&C server for encrypting its answers.
Then, after a zero byte added at the beginning of the packet, the data is sent to the C&C server. To which the server replies with an encrypted packet that contains information about the size of the payload and its SHA256 hash in its header, which is needed to be verified against the AES key.
The server may reply with
#pragma pack(push,1)
struct st_payload
{
_BYTE hash1[32];
_DWORD totalsize;
_BYTE hash2[32];
_DWORD dword44;
_DWORD dword48;
_DWORD dword4c;
_WORD word50;
char payload_name[];
_BYTE payload_sha256[32];
_DWORD payload_size;
_BYTE payload_data[payload_size];
}
#pragma pack(pop)
Decryption is performed with AES in a CFB mode with a block size of 128 bits and the key sent earlier to the server. The first 36 bytes of data are decrypted first, including the last DWORD value that shows the actual payload with the header. The DWORD value adds to the AES key and is hashed using SHA256. The resulting hash must match the first 32 decrypted bytes. The rest of the received data is decrypted only after this.
Botnet shutdown
Doctor Web’s analysts took all necessary measures in order to neutralize the Belonard trojan and stop botnet from growing. The delegation of the domain names used by the malware developer was suspended with the help of REG.ru domain name registrar. Since redirection from a fake game server to the malicious one happened via domain name, CS 1.6 players will no longer be in danger of connecting to the malicious server and getting infected by the Belonard trojan. This interrupted work of almost all the components of the malware.
Beyond that, Dr.Web’s virus database was updated with entries to detect all the Belonard components. The modules that switched to DGA are currently monitored. After all the necessary actions were taken, the sinkhole server registered 127 infected game clients. In addition to that, our telemetry showed that Dr.Web anti-virus detected modules of the Trojan.Belonard on 1004 devices of our clients.
At the present moment, Belonard botnet can be considered neutralized; but in order to ensure the safety of Counter-Strike game clients, it is necessary to close current vulnerabilities.
Indicators of compromise
SHA-1 hashes
8bbc0ebc85648bafdba19369dff39dfbd88bc297 - Backdoored Counter-Strike 1.6 client
200f80df85b7c9b47809b83a4a2f2459cae0dd01 - Backdoored Counter-Strike 1.6 client
8579e4efe29cb999aaedad9122e2c10a50154afb - Backdoored Counter-Strike 1.6 client
ce9f0450dafda6c48580970b7f4e8aea23a7512a - client.dll - Trojan.Belonard.1
75ec1a47404193c1a6a0b1fb61a414b7a2269d08 - Mp3enc.asi - Trojan.Belonard.2
4bdb31d4d410fbbc56bd8dd3308e20a05a5fce45 - Mp3enc.asi - Trojan.Belonard.2
a0ea9b06f4cb548b7b2ea88713bd4316c5e89f32 - Mssv36.asi - Trojan.Belonard.10
e6f2f408c8d90cd9ed9446b65f4b74f945ead41b - FileSystem.asi - Trojan.Belonard.11
15879cfa3e5e4463ef15df477ba1717015652497 - Mssv24.asi - Trojan.Belonard.5
4b4da2c0a992d5f7884df6ea9cc0094976c1b4b3 - Mssv24.asi - Trojan.Belonard.5
6813cca586ea1c26cd7e7310985b4b570b920803 - Mssv24.asi - Trojan.Belonard.5
6b03e0dd379965ba76b1c3d2c0a97465329364f2 - Mssv16.asi - Trojan.Belonard.3
2bf76c89467cb7c1b8c0a655609c038ae99368e9 - Mssv16.asi - Trojan.Belonard.3
d37b21fe222237e57bc589542de420fbdaa45804 - Mssv16.asi - Trojan.Belonard.3
72a311bcca1611cf8f5d4d9b4650bc8fead263f1 - Mssv16.asi - Trojan.Belonard.3
73ba54f9272468fbec8b1d0920b3284a197b3915 - davapi.dll - Trojan.Belonard.6
d6f2a7f09d406b4f239efb2d9334551f16b4de16 - davapi.dll - Trojan.Belonard.6
a77d43993ba690fda5c35ebe4ea2770e749de373 - spwinres.dll - Trojan.Belonard.4
8165872f1dbbb04a2eedf7818e16d8e40c17ce5e - WinDHCP.dll - Trojan.Belonard.7
027340983694446b0312abcac72585470bf362da - WinDHCP.dll - Trojan.Belonard.7
93fe587a5a60a380d9a2d5f335d3e17a86c2c0d8 - wmcodecs.dll - Trojan.Belonard.8
89dfc713cdfd4a8cd958f5f744ca7c6af219e4a4 - wmcodecs.dll - Trojan.Belonard.8
2420d5ad17b21bedd55309b6d7ff9e30be1a2de1 - ssdp32.dll - Trojan.Belonard.9
File names
client.dll - Trojan.Belonard.1
Mp3enc.asi - Trojan.Belonard.2
Mssv16.asi - Trojan.Belonard.3
spwinres.dll - Trojan.Belonard.4
Mssv24.asi - Trojan.Belonard.5
davapi.dll - Trojan.Belonard.6
WinDHCP.dll - Trojan.Belonard.7
wmcodecs.dll - Trojan.Belonard.8
ssdp32.dll - Trojan.Belonard.9
Mssv36.asi - Trojan.Belonard.10
FileSystem.asi - Trojan.Belonard.11
Domain names
csgoogle.ru
etmpyuuo.csgoogle.ru
jgutdnqn.csgoogle.ru
hl.csgoogle.ru
half-life.su
play.half-life.su
valve-ms.ru
bmeadaut.valve-ms.ru
fuztxhus.valve-ms.ru
ixtzhunk.valve-ms.ru
oihcyenw.valve-ms.ru
suysfvtm.valve-ms.ru
wcnclfbi.valve-ms.ru
reborn.valve-ms.ru
IP addresses
37.143.12.3
46.254.17.165
March 11, 2019
Trojan.Belonard gets installed on a device upon connecting to a malicious game server. The Trojan exploits vulnerabilities of the game client and is able to infect both the Steam versions and the pirated builds of Counter-Strike 1.6 (CS 1.6). Once on the victim’s computer, the Trojan replaces the files of the client and creates proxies to infect other users. Such a scheme usually serves to create a network of infected computers, which can be used to promote game servers for money.
Despite the game’s long history, the number of players using official CS 1.6 clients is estimated at 20,000 people online, while the total number of game servers registered on Steam exceeds 5,000. Selling, renting, and promoting game servers is now deemed actual business, and these services can be purchased with various websites. Server owners often pay for this, oblivious that their server can be promoted by malware. These illegal methods were used by the developer nicknamed “Belonard”; his server infected other players with a Trojan to promote other servers via their accounts.
At the moment, the number of malicious CS 1.6 servers created by the Belonard Trojan hits 39% of all official servers registered on Steam. The CS community has been facing this issue for a long time; but, unfortunately, up until now, anti-viruses have only been able to identify parts of the threat, but not the Belonard Trojan in its entirety. Now all modules of the Belonard Trojan are successfully detected by Dr.Web’s products and do not pose a threat to our customers. Learn more about the Belonard Trojan and its operation in our study.
01.03 Doctor Web’s February 2019 virus activity review
March 1, 2019
In February Dr.Web’s statistics showed a 9.73% decrease in the number of unique threats compared to January. Malware activity this month barely topped the numbers of December 2018, but for some threats there are clear dynamics. For example, the activity of the JS.Miner.28 which had been increasing in January, continued to grow and finally outperformed its competitor - JS.Miner.11. At the same time, Trojan.Starter.7394 grew by 14.29% compared to January, when Trojan.DownLoader26.28109 on the other hand, had a three-fold decrease in the number of detected threats. Additionally, the amount of URLs added to Dr.Web’s database of non-recommended and dangerous websites decreased by 1.68%. And the technical support statistics registered a decrease in the number of applications submitted by the ransomware victims.
Principal trends in February
- Decreased number of threats found in email traffic
- Spike of activity among adware, torrent clients and unwanted programs
According to Doctor Web’s statistics servers
Threat of the month:
- Adware.Softobase.12
- Installation adware that spreads outdated software and changes the browser’s settings. Installation adware that spreads outdated software and changes the browser’s settings.
- Adware.Ubar.13
- A torrent client designed to install unwanted programs on a user’s device.
- Trojan.Starter.7394
- Trojan designed for launching other malicious software on a victim’s device.
- Adware.Downware.19283
- The sort of adware that is usually distributed as an installer for pirated software. Upon installation, it changes a browser’s settings and may install other software without asking for the user’s permission. The sort of adware that is usually distributed as an installer for pirated software. Upon installation, it changes a browser’s settings and may install other software without asking for the user’s permission.
- Trojan.MulDrop8.60634
- Install—install the Trojan Installs malware in a system. All the components necessary for installation are usually stored inside the MulDrop itself.
Decreased amount of threats from:
Trojan.Encoder.11432 - Infamous ransomware also known as WannaCry. Blocks access to users’ data by encrypting it and demanding payment for decrypting the data.
- Trojan.DownLoader26.28109
- Downloads and runs malicious software without the user’s permission.
Statistics for malware discovered in email traffic
- JS.DownLoader.1225
- A family of malicious JavaScripts. They download and install malicious software on a computer.
- W97M.DownLoader.2938
- A family of downloader Trojans that exploit vulnerabilities in office applications. Designed for downloading other malware to a compromised computer.
- Exploit.ShellCode.69
- Another malicious Microsoft Office Word document. This one uses vulnerability called CVE-2017-11882. Использует vulnerability CVE-2017-11882.
- Exploit.Rtf.CVE2012-0158
- Modified Microsoft Office document. Exploits CVE2012-0158 vulnerability in order to run malicious code.
- JS.Miner.28
- JavaScript miner called «CryptoLoot». Its purpose is to mine the Monero cryptocurrency in a browser without asking for the user’s permission. Often used as an alternative to the CoinHive miner.
Trojan.PWS.Stealer.23680 - A family of Trojans designed to steal passwords and other confidential information stored on an infected computer.
Encryption ransomware
In February, Doctor Web’s technical support was most often contacted by victims of the following encryption ransomware:
Trojan.Encoder.858 - 31.39% of requests;Trojan.Encoder.18000 - 10.18% of requests;Trojan.Encoder.11464 - 4.67% of requests;Trojan.Encoder.11539 - 4.67% of requests;Trojan.Encoder.567 - 2.34% of requests;Trojan.Encoder.25814 - 2.34% of requests.
Dr.Web Security Space for Windows protects against encryption ransomware
Dangerous websites
During February 2019, 288 159 URLs of non-recommended websites were added to the Dr.Web database.
| January 2019 | February 2019 | Dynamics |
|---|---|---|
| + 293 012 | + 288 159 | -1.68% |
Malicious and unwanted programs for mobile devices
Last month Dr.Web’s analysts found many malicious and unwanted programs designed for Android OS. The analysts also uncovered an advertising campaign that helped spread trojans of Android.HiddenAds family.
In February our researchers added a few new entries for detecting the Android.FakeApp type of malware.
Beyond that, malware developers were spreading a dangerous trojan called Android.RemoteCode.2958, which downloaded other malware by executing remote code. A
The most noticeable February event related to mobile malware:
- The spreading of malicious programs on Google Play.
Find out more about malicious and unwanted programs for mobile devices in our special overview.
Learn more with Dr.Web
01.03 February 2019 mobile malware review from Doctor Web
March 1, 2019
The last winter month of 2019 was not a quiet time for users of Android devices. In mid-February, Doctor Web specialists found about 40 Trojans of the
PRINCIPAL TRENDS IN FEBRUARY
- The detection of new malicious programs on Google Play
Mobile threat of the month
Last month, Doctor Web’s malware analysts revealed 39 Trojans of the
The Trojans were constantly displaying ads, overlaying the interface of other programs and even the operating system. As a result, infected devices became very inconvenient to work with.
For more information about these malicious applications read the news article on our website.
According to statistics collected by Dr.Web for Android
Android.Backdoor .682.originAndroid.Backdoor .2080- Trojans that execute the commands of attackers and allow them to control infected mobile devices.
Android.RemoteCode .197.origin- A malicious application designed to download and execute arbitrary code.
Android.HiddenAds .261.originAndroid.HiddenAds .659- Trojans designed to display intrusive advertisements. They are distributed as popular applications by other malicious programs, which in some cases, covertly install them in the system catalog.
- Adware.Zeus.1
Adware.Patacore .1.originAdware.Patacore .168- Adware.Jiubang.2
- Android.Toofan.1.origin
- Unwanted program modules that incorporate themselves into Android applications and display obnoxious ads on mobile devices.
Threats on Google Play
Apart from the
Android users were also targeted by the Trojan
Another Trojan, dubbed
In addition, the Dr.Web virus database was updated with an entry for applications with the built-in unwanted
Several games turned out to contain other unwanted advertising modules, dubbed
We continue detecting more and more malicious and unwanted applications on Google Play, so owners of mobile devices running Android are advised to only install programs from well-known and trusted developers. In all cases, pay attention to the reviews of other users. To protect smartphones and tablets, we recommend you install Dr.Web for Android.
Your Android needs protection!
Use Dr.Web
- First Russian anti-virus for Android
- Over 140 million downloads—just from Google Play!
- Available free of charge for users who purchase Dr.Web home products
