Virus alerts
12.07 Doctor Web: A dangerous Android backdoor distributed via Google Play
July 12, 2019
The malware was dubbed
When launched,
Its window contains a button to “check” for updates to the OpenGL ES interface. When a user taps the window, the trojan simulates a search for new versions of OpenGL ES, but does not actually perform any checks.
When the victim closes the application window,
The backdoor communicates with several command and control servers to receive commands from the attackers and send the collected data. The cybercriminals can also control the trojan via the Firebase Cloud Messaging service.
- sending information on contacts from the contact list to the server;
- sending information on text messages to the server (the investigated version of the trojan did not have the permissions for this);
- sending the phone call history to the server;
- sending the device location to the server;
- downloading and launching an APK or a DEX file using the DexClassLoader class;
- sending the information on the installed software to the server;
- downloading and launching a specified executable file;
- downloading a file from the server;
- uploading a specified file to the server;
- transmitting information on files in the specified directory or a memory card to the server;
- executing a shell command;
- launching the activity specified in a command;
- downloading and installing an Android application;
- displaying a notification specified in a command;
- requesting permission specified in a command;
- sending the list of permissions granted to the trojan to the server;
- not letting the device go into sleep mode for a specified time period.
The trojan AES encrypts all data transmitted to the server. Each request is protected with a unique generated key based on the current time. The same key encrypts the server response.
- automatically, if the system has root access (using a shell command);
- using a system package manager (system software only);
- displaying a standard system installation dialog where the user needs to confirm the installation.
As you can see, this backdoor is a serious threat. Not only does it act as spyware, but it can also be used for phishing because it can display windows and notifications with any content. It can also download and install any other malicious application, as well as execute arbitrary code. For example, at the command of attackers,
Doctor Web has notified Google about the trojan; it was already removed from Google Play at the time of publication.
Read more about Android.Backdoor.736.origin
#Android, #backdoor, #Google_Play, #spyware
Your Android needs protection.
Use Dr.Web
- The first Russian anti-virus for Android
- Over 140 million downloads—just from Google Play
- Available free of charge for users of Dr.Web home products
03.07 June 2019 mobile malware review from Doctor Web
July 3, 2019
In mid June, Dr.Web virus analysts discovered the
PRINCIPAL TREND IN JUNE
- New malicious and unwanted applications on Google Play
Mobile threat of the month
On June 14, Doctor Web reported the
Clicking such a message would open one of the advertised websites in the browser. Many of them were fraudulent.
Features of
- it is distributed via Google Play under the guise of official software by well-known brands;
- notifications from websites, loaded by the trojan, did not stop when the trojan was removed.
According to statistics collected by Dr.Web for Android
Android.Backdoor .682.origin- A trojan that executes cybercriminals’ commands and helps them control infected mobile devices.
Android.HiddenAds .1424- A trojan designed to display obnoxious ads. It is distributed under the guise of popular applications.
Android.RemoteCode .197.originAndroid.RemoteCode .4411- Malicious applications designed to download and execute arbitrary code.
Android.Triada .3670- A multi-functional trojan that performs different malicious actions.
Program modules that incorporate themselves into Android applications and display obnoxious ads on mobile devices:
- Adware.Zeus.1
- Adware.Jiubang.2
Adware.AdPush .33.origin- Adware.Toofan.1.origin
A riskware platform that allows applications to launch APK files without installing them:
Tool.VirtualApk .1.origin
A new threat:
Adware.Patacore .253- A representative of a family of unwanted modules that display banner advertisments on Android devices.
Threats on Google Play
Along with
Virus analysts have also discovered a number of new
After installation and launch, the malware hid its icons and began displaying ads.
Another trojan found on Google Play was named
The first versions of this application were safe; but later, in versions 1.1.0 and 1.1.4, it was updated with trojan functionality.
Another downloader was named
At the end of June, the Dr.Web virus database was updated to detect the
To protect your Android device from malware and unwanted programs, we recommend you install Dr.Web for Android.
Your Android needs protection.
Use Dr.Web
- The first Russian anti-virus for Android
- Over 140 million downloads—just from Google Play
- Available free of charge for users of Dr.Web home products
03.07 June 2019 virus activity review from Doctor Web
July 3, 2019
In June, Dr.Web server statistics registered a significant increase in the number of common and unique threats compared with May. Adware and installers are still leading in the total number of detected threats; the highest malware activity has been detected in email traffic. The dangerous stealer, Trojan.PWS.Maria.3 (Ave Maria), previously used to target an oil and gas company, is active again. The Trojan.Nanocore.23 trojan with remote access that helps control an infected computer is distributed via email. A malware campaign using the Trojan.Encoder.858 encoder also took place in June.
Principal trends in June
- Increased malware distribution
- Emailing stealers and RAT Trojans
- Increased encoder activity
Threat of the month
In June, a sample of the rare Trojan.MonsterInstall Node.js trojan was studied in the Doctor Web virus lab. When launched on a victim's device, it downloads and installs the modules it needs for operation, collects information about the system, and sends it to the developer’s server. After receiving a response from the server, it adds itself to autorun and starts mining the TurtleCoin cryptocurrency. Developers of this malware use cheats for popular games from their own webpages to distribute the trojan and infect files on other similar websites.
According to Doctor Web’s statistics servers
Threats of this month:
- Adware.Ubar.13
- A torrent client that installs unwanted software on devices.
- Trojan.InstallCore.3553
- Another notorious adware installer. It displays ad banners and installs software without users’ permission.
- Trojan.Winlock.14244
- Blocks or restricts user access to the operating system and its main functions. To access the system, users are required to transfer money to the trojan developer’s account.
- Trojan.Starter.7394
- A trojan that launches other malware on a device.
- Adware.Softobase.12
- An installer that distributes outdated software. It changes browser settings.
Statistics for malware discovered in email traffic
- Exploit.Rtf.CVE2012-0158
- A modified Microsoft Office Word document that exploits the CVE2012-0158 vulnerability to execute malicious code.
- W97M.DownLoader.2938
- A family of downloader trojans that exploit vulnerabilities in Microsoft Office documents and can download other malicious programs to a compromised computer.
- Exploit.ShellCode.69
- A malicious Microsoft Office Word document that exploits the CVE-2017-11882 vulnerability.
Rising threats of the month:
- Trojan.PWS.Maria.3
- A stealer distributed by email in malicious Excel files. It uses the popular CVE-2017-11882 vulnerability to launch an executable file. It was first seen in a phishing campaign targeting the Italian oil and gas industry.
- Trojan.Nanocore.23
- A dangerous trojan with remote access. It allows cybercriminals to control an infected computer, including the camera and microphone on the device if available.
Encoders
In June, Doctor Web’s technical support service registered cases involving the following encoders:
Trojan.Encoder.858 — 30.31%Trojan.Encoder.567 — 7.02%Trojan.Encoder.11464 — 6.47%Trojan.Encoder.11539 — 3.33%Trojan.Encoder.18000 — 3.14%Trojan.Encoder.28004 — 2.59%Trojan.Encoder.25574 — 1.66%
Dr.Web Security Space for Windows protects against encryption ransomware
Dangerous websites
In June 2019, the Dr.Web database was updated with a total of 151,162 non-recommended website URLs.
| May 2019 | June 2019 | Dynamics |
|---|---|---|
| + 223,952 | + 151,162 | – 32.5% |
Malicious and unwanted programs for mobile devices
In June, Doctor Web virus analysts discovered many more malicious and unwanted programs on Google Play, including the
New trojan downloaders were also detected this month, such as the
The following mobile malware event of June was the most noteworthy:
- detection of new malware on Google Play.
Find out more about malicious and unwanted programs for mobile devices in our special overview.
Learn more with Dr.Web
19.06 New Node.js trojan threatens gamers
June 19, 2019
Yandex has submitted a rare sample of the Node.js trojan for research to Doctor Web’s virus laboratory. This malware was distributed via websites with video game cheats and has several versions and components.
When users attempt to download a cheat they download a password-protected 7zip archive to their computers. Inside there is an executable file; which upon launch, will download the requested cheats alongside other trojan’s components.
Upon launching on the victim's device, Trojan.MonsterInstall downloads and installs all the components necessary for its work, gathers information about the system its installed on, and sends it to the developer’s server. After receiving a response, it installs itself in the autorun and starts mining the TurtleCoin cryptocurrency.
Developers of this malware own several websites with game cheats, which they use to spread the malware, but they also infect other similar websites with the same trojan. According to SimilarWeb’s statistics, users browse these websites at least 127,400 times per month.
Websites owned by the malware developers:
- румайнкрафт[.]рф;
- clearcheats[.]ru;
- mmotalks[.]com;
- minecraft-chiter[.]ru;
- torrent-igri[.]com;
- worldcodes[.]ru;
- cheatfiles[.]ru.
Moreover, some cheats from the proplaying[.]ru website turned out to be infected as well.
Doctor Web’s experts recommend that users timely update the anti-virus and avoid downloading suspicious software.
We would also like to thank specialists from Yandex for providing the sample and additional information about the trojan’s points of distribution.
#JavaScript #games #mining
14.06 Doctor Web: Android users threatened by fraudulent push notifications
June 14, 2019
The Web Push technology allows websites to send notifications even when the webpage is not open in the browser if the user agrees to that. When it comes to harmless websites, this feature can be useful and convenient. For example, social media can notify the users on new messages, and news agencies can spread information about new articles. However, cybercriminals and unscrupulous advertisers can abuse this technology by spreading advertising and fraudulent notifications that come from hacked or malicious websites.
PC, laptop browsers, as well as mobile devices support these notifications. Typically, the victim gets to a questionable spamming website by clicking a unique link or an advertising banner.
When launched, the trojan loads a website in Google Chrome. The website is specified in the trojan settings. According to its parameters, it performs several redirects to pages of various affiliated programs. Each of them prompts the user to allow notifications. To be convincing, they inform the victim that it is done for verification purposes (for example, that the user is not a robot), or simply hint on which dialog button to click. Thus, they increase the number of successful subscriptions. See examples of such queries in the images below:
After activating the subscription, websites start sending the user numerous notifications of questionable content. Notifications are displayed in the status bar of the operating system even if the browser is closed and the trojan has already been removed. The contents can be anything, from false notifications about cash bonuses or transfers or new messages on social media to advertisements of horoscopes, casinos, goods and services, even various “news”.
Many of them look like real notifications of actual online services and applications installed on the device. For example, they display the logo of a bank, a dating website, a news agency, or a social network, as well as an eye-catching banner. Owners of Android devices can receive dozens of such spam messages per day.
Although these notifications also indicate the address of the website they come from, an unskilled user may fail to notice it, or not give it much thought. See below the examples of fraudulent notifications:
Having clicked a notification, the user is redirected to a website with questionable content. This may include advertising of casinos, betting shops, various Google Play applications, discounts and coupons, fake online polls and prize drawings, aggregators of partner links, and other online resources that vary depending on the country of residence of the user. See examples of such websites below:
Many of these resources are involved in well-known fraudulent schemes for stealing funds, but attackers can also launch an attack to steal confidential data at any time. For example, by sending an “important” notification via the browser on behalf of a bank or a social network. Potential victims can think the fake notification is real and tap it only to be redirected to a phishing site, where they will be prompted to indicate their name, credentials, email addresses, bank card numbers, and other confidential information.
Doctor Web experts believe that cybercriminals will make more active use of this method to promote questionable services, so mobile users should be careful while visiting websites and not subscribe to notifications if the website is unfamiliar or suspicious. If you are already subscribed to spam notifications, perform the following steps:
- Go to the Google Chrome settings, select “Site Settings” and then “Notifications”;
- On the list of websites with notifications, find the website address, tap it, and select “Clear & reset”.
Dr.Web for Android successfully detects and removes all known modifications of
Read more about Android.FakeApp.174
Your Android needs protection.
Use Dr.Web
- The first Russian anti-virus for Android
- Over 140 million downloads—just from Google Play
- Available free of charge for users of Dr.Web home products
03.06 Doctor Web’s May 2019 virus activity review
June 3, 2019
In May, Dr.Web’s statistics registered a 1.49% increase in the number of unique threats compared to April; while the number of all detected threats increased by 14.51%. Malware and unwanted programs statistics show the prevalence of adware and installers. E-mail traffic is still dominated by malware that uses the vulnerabilities of Microsoft Office programs, but in May we also registered an increase in the spread of the dangerous trojan,
Principal Trends in May
- An increase in malware spreading activity
- Trojan stealers distributed via email
Threat of the month
In May, Doctor Web’s researchers warned about unique malware for the macOS operating system–
According to Doctor Web’s statistics servers
Threats of the month:
- Adware.Softobase.12
- Installation adware that spreads outdated software and changes the browser’s settings.
- Adware.Ubar.13
- A torrent client designed to install unwanted programs on a user’s device.
- Trojan.InstallCore.3553
- Another well-known adware installer. It shows ads and installs additional programs without the user’s permission.
- Trojan.Winlock.14244
- A ransomware trojan that blocks or limits a user’s access to the Windows operating system and its functionalities. In order to unlock the system, a user must transfer money to the cybercriminals.
- Trojan.Starter.7394
- A trojan designed to launch other malicious software on a victim’s device.
Statistics for malware discovered in email traffic
Threats of the month:
- W97M.DownLoader.2938
- A family of downloader trojans that exploit vulnerabilities in Microsoft Office applications. Designed to download other malware onto a compromised computer.
- Exploit.ShellCode.69
- Another malicious Microsoft Office Word document. This one uses vulnerability called CVE-2017-11882.
- Exploit.Rtf.CVE2012-0158
- Another malicious Microsoft Office Word document. This one uses a vulnerability called CVE2012-0158.
- Exploit.Rtf.435
- A malicious Microsoft Office document that uses the CVE-2017-11882 vulnerability to download the Trojan.Fbng.8 (FormBook) trojan on users’ devices.
- Trojan.PWS.Stealer.19347
- A family of trojans designed to steal passwords and other confidential information stored on an infected computer.
Increased malware activity:
- Trojan.Inject3.15480
- Trojan also known as Trojan.Fbng.8 (FormBook). The Trojan also known as FormBook. It’s designed to steal private data, but can also receive commands from the developer’s server.
Encryption ransomware
In May, victims of the following encryption ransomware most frequently contacted Doctor Web’s technical support service:
Trojan.Encoder.18000 — 15.38%Trojan.Encoder.858 — 9.89%Trojan.Encoder.11464 — 5.49%Trojan.Encoder.25574 — 5.49%Trojan.Encoder.11539 — 5.27%Trojan.Archivelock — 5.05%Trojan.Encoder.567 — 1.98%
Dr.Web Security Space for Windows protects against encryption ransomware
Dangerous websites
During May 2019, Doctor Web added 223,952 URLs to the Dr. Web database of non-recommended sites.
| April 2019 | May 2019 | Dynamics |
|---|---|---|
| + 345 999 | + 223 952 | - 35.27% |
Malicious and unwanted programs for mobile devices
In May, malware developers again distributed various malicious programs through the Google Play service. Researchers at Doctor Web discovered a trojan,
The most noticeable May event related to mobile malware:
- The spread of new malware on Google Play;
Find out more about malicious and unwanted programs for mobile devices in our special overview.
Learn more with Dr.Web
03.06 May 2019 mobile malware review from Doctor Web
June 3, 2019
In the past month, Android devices were once again targeted by malicious programs distributed via Google Play. The list contained the
PRINCIPAL TREND IN MAY
- Distribution of malicious applications on Google Play
Mobile threat of the month
The malware detected in May included spyware trojans from the
After installation and launch, these malicious programs attempted to assign themselves as the default SMS manager, requesting permission from the user. If permission was granted,
Specific features of the malware:
- it was intended for Spanish-speaking users;
- it was based on the open source SMSdroid software with an added trojan function.
According to statistics collected by Dr.Web for Android
Android.Backdoor .682.origin- A trojan that executes cybercriminals’ commands and helps them control infected mobile devices.
Android.RemoteCode .4411Android.RemoteCode .197.origin- Malicious applications designed to download and execute arbitrary code.
Android.HiddenAds .261.originAndroid.HiddenAds .1102- Trojans designed to display intrusive advertisements. They are distributed as popular applications by other malicious programs; which in some cases, covertly install them in the system catalog.
- Adware.Zeus.1
- Adware.Jiubang.2
Adware.AdPush .33.origin- Adware.Toofan.1.origin
- Unwanted program modules that embed themselves into Android applications and display obnoxious ads on mobile devices.
Tool.VirtualApk .1.origin- A riskware platform that allows applications to launch APK files without installing them.
Adware trojan
In early May, Doctor Web analysts discovered the
The malicious program did allow users to listen to music, but then hid its icon after the first launch, preventing users from launching it again.
New malicious and unwanted applications keep appearing on Google Play. Doctor Web recommends Android device owners to install Dr.Web for Android to protect themselves.
Your Android needs protection.
Use Dr.Web
- The first Russian anti-virus for Android
- Over 140 million downloads—just from Google Play
- Available free of charge for users of Dr.Web home products
14.05 A new threat for the macOS system spreads disguised as WhatsApp
May 14, 2019
Our researchers discovered the new threat on April 29. This malware was named
When users open one of those websites, the embedded code detects the visitor’s operating system and depending on that uploads either the backdoor or a trojan. If a visitor uses macOS, their device gets infected with
According to our information, the website spreading
06.05 Doctor Web’s April 2019 virus activity review
May 6, 2019
In April, Dr.Web’s statistics showed a 39.44% decrease in the number of unique threats compared to March; while the number of all detected threats decreased by 14.96%. E-mail traffic is still dominated by malware that uses the vulnerabilities of Microsoft Office programs. The previous month’s malware and unwanted programs trend also continues. The malicious browser extensions, unwanted programs and adware account for the majority of detected threats.
The number of non-recommended websites increased by 28.04%. One such website was used for spreading a banking trojan and stealer, along with the video and sound editing software, which we reported at the beginning of the month. Additionally, Doctor Web’s researchers warned about the phishing newsletter sent from official e-mails of large international companies.
Principal trends in April
- A decline in malware spreading activity
- An increase in the number of domain names added to the Dr.Web database of non-recommended websites
Threat of the month
Doctor Web researchers warned users about a compromised, popular website, which distributes video and sound editing software. Hackers hijacked download links on the website causing visitors to download the dangerous banking trojan, Win32.Bolik.2, and the Trojan.PWS.Stealer (KPOT) stealer, along with the editing software. Trojans of this family are designed to perform web injections, intercept traffic, log keys and steal information from different bank-client systems. Additionally, the attackers later changed the Win32.Bolik.2 trojan to another malware, the Trojan.PWS.Stealer (KPOT Stealer). This trojan steals information from browsers, Microsoft accounts, several messengers and some other programs.
According to Doctor Web’s statistics servers
Threats of the month:
- Adware.Softobase.12
- Installation adware that spreads outdated software and changes the browser’s settings.
- Adware.Ubar.13
- A torrent client designed to install unwanted programs on a user’s device.
- Trojan.Starter.7394
- Trojan designed for launching other malicious software on a victim’s device.
Adware.Downware.19283 - The sort of adware that is usually distributed as an installer for pirated software. Upon installation, it changes a browser’s settings and may install other software without asking for the user’s permission.
Statistics for malware discovered in email traffic
- Exploit.ShellCode.69
- A modified Microsoft Office document. It exploits the CVE-2017-11882 vulnerability in order to run malicious code.
- Exploit.Rtf.CVE2012-0158
- Another malicious Microsoft Office Word document. This one uses a vulnerability called CVE2012-0158.
- JS.DownLoader.1225
- A variety of malicious code written in JavaScript and designed to download and install other malware on a computer.
- Trojan.Encoder.26375
- A malicious program from the encryption ransomware family. This trojan encrypts files and demands a ransom for data decryption.
- W97M.DownLoader.2938
- A family of downloader Trojans that exploit vulnerabilities in office applications. Designed to download other malware onto a compromised computer.
Encryption ransomware
In April, Doctor Web’s technical support was most frequently contacted by victims of the following encryption ransomware:
Trojan.Encoder.858 — 17.95%Trojan.Encoder.18000 — 14.65%Trojan.Encoder.11464 — 7.69%Trojan.Archivelock — 5.49%Trojan.Encoder.567 — 3.85%Trojan.Encoder.11539 — 3.85%Trojan.Encoder.25574 — 2.75%
Dr.Web Security Space for Windows protects against encryption ransomware
Dangerous websites
During April 2019, Doctor Web added 345,999 URLs to the Dr.Web database of non-recommended websites.
| March 2019 | April 2019 | Dynamics |
|---|---|---|
| + 270 227 | + 345 999 | + 28.04% |
Malicious and unwanted programs for mobile devices
In April, Doctor Web reported the dangerous trojan,
Also during April, new malware such as trojan downloaders and clickers were discovered in the Google Play catalogue, as well as new credential stealers for Instagram, called Android.PWS.Instagram.4 and Android.PWS.Instagram.5.
Additionally, new banking trojans threatened Android smartphone and tablet users. Among them were new versions of the
Among the most noticeable April events related to mobile malware were:
- the spread of malicious programs on Google Play;
- the distribution of banking trojans.
Learn more with Dr.Web
30.04 April 2019 mobile malware review from Doctor Web
April 30, 2019
In April Doctor Web reported on the
PRINCIPAL TRENDS IN APRIL
- The detection of new malicious applications on Google Play
- Distribution of banking trojans
Mobile threat of the month
In early April Doctor Web reported on a dangerous trojan,
According to statistics collected by Dr.Web for Android
Android.Backdoor .682.origin- A trojan that executes cybercriminals’ commands and helps them control infected mobile devices.
Android.HiddenAds .1102Android.HiddenAds .261.origin- Trojans designed to display intrusive advertisements. They are distributed as popular applications by other malicious programs; which in some cases, covertly install them in the system catalog.
Android.RemoteCode .4411- A malicious application designed to download and execute arbitrary code.
Android.DownLoader .812.origin- A Trojan that downloads other malicious applications.
- Adware.Zeus.1
Adware.AdPush .33.origin- Adware.Toofan.1.origin
- Adware.Jiubang.2
- Unwanted program modules that incorporate themselves into Android applications and display obnoxious ads on mobile devices.
Tool.VirtualApk .1.origin- A riskware platform that allows applications to launch APK files without installing them.
Banking trojans for Android
Over the past month, banking trojans threatened users of Android devices. In late April Doctor Web virus analysts detected new modifications of the
These modifications of
These trojan modifications are able to intercept and send SMS on hackers’ command, show phishing windows, make calls, and listen to the surrounding environment using the device’s built-in microphone. On top of that, they can control smartphones and tablets; for example, they can turn on Wi-Fi, connect to the Internet via a mobile network, block the screen, and so on.
In addition, new downloaders from the
Trojans on Google Play
Aside from downloaders, other trojans, such as
This malicious software opens hidden activity with several WebView elements. A website is loaded on one of them to get commands. Hackers use other WebViews to load different JavaScript and specified websites where they simulate user actions. On these websites, they click links and banner ads to drive up hit and click counters. Hackers can also subscribe mobile device owners to paid services by clicking on special buttons if service providers support the Wap-Click technology of fast subscription. To make themselves more difficult to delete, trojans hide their icons from the operating system’s main screen.
In late April, new entries were added to the Dr.Web virus database to detect the trojans
Other threats
The
To distribute itself among a greater number of users, the trojan sent SMS with a link to the download page of its copy to all contacts of the infected device. The main goal of
Users of Android devices are threatened by different trojan applications that are distributed not only via malicious websites, but also via the official Google Play store. To protect smartphones and tablets, we recommend that you install Dr.Web for Android.
Your Android needs protection.
Use Dr.Web
- The first Russian anti-virus for Android
- Over 140 million downloads—just from Google Play
- Available free of charge for users of Dr.Web home products
11.04 The official website of a popular video editing software was infected with a banking trojan
April 11, 2019
VSDC is a popular, free software for editing video and sound. According to SimilarWeb statistics, monthly visits of the VSDC website come close to 1.3 million users. However, the security measures taken by the website’s developers often turn out to be insufficient for such traffic volume, which endangers a large number of people.
Last year unknown hackers gained access to the administrative side of the VSDC website and replaced the download links. Instead of the editing software, users received a JavaScript file, which then downloaded the AZORult Stealer, X-Key Keylogger and the DarkVNC backdoor. The VSDC team stated that they closed the vulnerability, but recently we received information about additional cases of infection through their website.
According to our researchers, the VSDC developer’s computer has been compromised several times since the previous incident. One such hack led to the website being compromised again between 2019-02-21 and 2019-03-23. This time hackers took a different approach to spreading the malware: they embedded a malicious JavaScript code inside the VSDC website. Its task was to determine the visitor’s geolocation and replace download links for users from the UK, USA, Canada and Australia. Native website links were substituted by links to another compromised website:
- https://thedoctorwithin[.]com/video_editor_x64.exe
- https://thedoctorwithin[.]com/video_editor_x32.exe
- https://thedoctorwithin[.]com/video_converter.exe
Users that downloaded software from that website also received a dangerous banking trojan, Win32.Bolik.2. Same as its predecessor,
Additionally, on 22.03.2019 the attackers changed the Win32.Bolik.2 trojan to another malware, a variation of the Trojan.PWS.Stealer, KPOT Stealer. This trojan steals information from browsers, Microsoft accounts, several messengers and some other programs. In just one day it was downloaded by 83 users.
The VSDC developers were notified about the threat; and at the present moment, download links were restored to the originals. However, Doctor Web experts recommend that all VSDC users check their devices with our antivirus.
#banker #banking_trojan #virus
03.04 Doctor Web’s March 2019 virus activity review
April 3, 2019
In March, Doctor Web’s analysts finished studying the trojan that threatened the Counter-Strike 1.6 players. Included in the main threats identified in March is a dynamic in how principal threats compare to the previous month’s. For example, the activity of Trojan.MulDrop8.60634 has decreased three times since February, while the number of threats like Trojan.Packed.24060 and Adware.OpenCandy.243 increased in March. Additionally, the number of domain names added to Dr.Web’s database of non-recommended and dangerous websites has decreased. Doctor Web has also received more data decoding requests from ransomware victims.
Principal trends in March
- The rise of malicious browser extensions
- A spike in adware activity and unwanted programs
- An increase in the number of applications submitted by ransomware victims
Threat of the month
In March Doctor Web’s analysts published a thorough study of the Belonard trojan, which exploits zero-day vulnerabilities in the Counter-Strike 1.6 Steam client. Once on the victim’s computer, the trojan replaces the client files and creates proxies to infect other users. The number of malicious CS 1.6 servers created by the Belonard trojan rose to 39% of all official servers registered on Steam. Now all modules of the Belonard Trojan have been successfully detected by Dr.Web’s products and no longer pose a threat to our customers.
According to Doctor Web’s statistics servers
Threats of the month:
Trojan.Packed.24060 - This program installs malicious browser extensions that redirect search results to different websites.
- Adware.Softobase.12
- Installation adware that spreads outdated software and changes the browser’s settings. Installation adware that spreads outdated software and changes the browser’s settings.
Adware.OpenCandy.243 - A family of applications designed to install other software in the system. These programs are used by free software developers in order to monetize their apps. A family of applications designed to install other software in the system. These programs are used by developers of free software in order to monetize their apps.
- Adware.Ubar.13
- A torrent client designed to install unwanted programs on a user’s device.
- Trojan.Starter.7394
- A trojan designed to launch other malicious software on a victim’s device.
Decreased amount of threats from:
- Trojan.MulDrop8.60634
- Installs malware in a system. All the components necessary for installation are usually stored inside the MulDrop itself.
- Adware.Downware.19283
- The sort of adware that is usually distributed as an installer for pirated software. Upon installation, it changes a browser’s settings and may install other software without asking for the user’s permission.
Statistics for malware discovered in email traffic
- Exploit.ShellCode.69
- Another malicious Microsoft Office Word document. This one uses vulnerability called CVE-2017-11882.
- W97M.DownLoader.2938
- A family of downloader Trojans that exploit vulnerabilities in office applications. Designed to download other malware onto a compromised computer.
- Exploit.Rtf.CVE2012-0158
- A modified Microsoft Office document. It exploits the CVE2012-0158 vulnerability in order to run malicious code.
Trojan.SpyBot.699 - A multi-module banking trojan. It allows cybercriminals to download and launch various applications on an infected device and to execute their commands. The trojan is intended to steal money from bank accounts.
- JS.DownLoader.1225
- A variety of malicious code written in JavaScript and designed to download and install other malware on a computer.
Trojan.PWS.Stealer.23680 - A family of Trojans designed to steal passwords and other confidential information stored on an infected computer.
Encryption ransomware
In March, Doctor Web’s technical support was most often contacted by victims of the following encryption ransomware:
Trojan.Encoder.858 —28.39%;Trojan.Encoder.18000 —9.54%;Trojan.Encoder.27210 —4.25%;Trojan.Encoder.11464 —4.14%;Trojan.Encoder.11539 —4.14%;Trojan.Encoder.567 —2.76%;Trojan.Archivelock —2.34%
Dr.Web Security Space for Windows protects against encryption ransomware
Dangerous websites
During March 2019, Doctor Web added 270,227 URLs into the Dr.Web database of non-recommended sites.
| February 2019 | March 2019 | Dynamics |
|---|---|---|
| + 288 159 | + 270 227 | - 6.63% |
Malicious and unwanted programs for mobile devices
In the past month Doctor Web specialists found many new malicious programs on Google Play. Among them was the infamous family of
Beyond that, more trojans of the
Additionally, hackers continued to spread banking trojans. Doctor Web reported on one such trojan at the end of March. The malicious software known as Flexnet steals money from banking accounts and mobile phones balance.
At the end of the month, Doctor Web’s researchers disclosed details about the vulnerability in the popular Android browser, “UC Browser”, which was able to download plug-ins bypassing the Google Play servers. This vulnerability could have been exploited by hackers in order to spread malware.
Among the most noticeable events related to mobile malware in March:
- the detection of a vulnerability in the UC Browser;
- the spread of malicious programs on Google Play.
- the distribution of banking trojans.
Find out more about malicious and unwanted programs for mobile devices in our special overview.
Find out more with Dr.Web
03.04 March 2019 mobile malware review from Doctor Web
April 3, 2019
In March, Doctor Web reported a vulnerability in the mobile app, UC Browser, which can download new modules from third-party server. Cybercriminals could use this feature to infect Android smartphones and tablets. Additionally, malware analysts shared information about the Flexnet trojan that stole money from bank cards and mobile credit accounts. During March, other malicious applications were detected on Google Play.
PRINCIPAL TRENDS IN MARCH
- Detection of a vulnerability in UC Browser
- Distribution of banking trojans
- The detection of new malicious programs on Google Play
Mobile threat of the month
At the end of March, Doctor Web reported a vulnerability in the UC Browser app for Android, discovered by our malware analysts. This program downloaded additional plugins, bypassing Google Play servers and thus violating Google’s policies. Cybercriminals could interfere with the download and make the browser download and launch malicious files instead. Over 500,000,000 mobile users have been exposed to threats. See the details of this vulnerability in our virus library.
According to statistics collected by Dr.Web for Android
Android.Backdoor .682.originAndroid.Backdoor .2080- Trojans that execute commands from attackers and allow them to control infected mobile devices.
Android.RemoteCode .197.origin- Malicious application designed to download and execute arbitrary code.
Android.HiddenAds .659Android.HiddenAds .261.origin- Trojans designed to display intrusive advertisements. They are distributed as popular applications by other malicious programs, which in some cases covertly install them in the system catalog.
- Adware.Zeus.1
- Adware.Jiubang.2
- Adware.Toofan.1.origin
- Adware.Gexin.3.origin
- Unwanted program modules that incorporate themselves into Android applications and display obnoxious ads on mobile devices.
Tool.VirtualApk .1.origin- A potentially dangerous software platform that allows applications to run APK files without installing them.
Banking trojans for Android
Cybercriminals continue to distribute banking trojans based on the source code of the
Threats on Google Play
In March, we found more malicious programs on Google Play, including the trojans
In addition, our malware analysts identified more trojans of the
After installation and launch, they hide their icons and begin constantly overlaying ads over program windows and the operating system interface, making it difficult to work with the Android devices.
Users of Android devices are threatened by trojans not only distributed via malicious websites, but also via the official Google Play store. To protect smartphones and tablets, we recommend that you install Dr.Web for Android.
Your Android needs protection!
Use Dr.Web
- First Russian anti-virus for Android
- Over 140 million downloads—just from Google Play!
- Available free of charge for users who purchase Dr.Web home products
21.03 Doctor Web: Android banker Flexnet uses computer games to steal money from users
March 21, 2019
Flexnet is based on the GM Bot Trojan, researched by Doctor Web malware analysts back in February 2015. The malicious app’s source code was published in 2016. Soon, the first versions of Flexnet were created thanks to everything achieved by GM Bot’s authors. Attacks against Android mobile devices using this Trojan continue happening to this day.
The cybercriminals distribute Flexnet Trojans via spam texting. In the messages, the potential victims are encouraged to follow the link and download some program or game. The Trojan disguises itself as applications such as Drug Vokrug (a dating and chatting app), GTA V, tools for Instagram and VKontakte account promotion, as well as other software.
Fig. 1. Example of software icons used by the Trojan.
When launched, the Trojan requests admin privileges, displaying a standard dialog box. If the victim grants the permissions, the Trojan falsely reports an error and removes its icon from the home screen to hide from the user so as not to be removed.
Fig. 2-3. An attempt to request admin privileges and a false error message.
Compared with modern Android bankers, Flexnet’s capabilities are quite limited. The Trojan is capable of hooking and sending text messages, as well as performing USSD requests. However, these functions are enough to steal money using various fraudulent means.
One of them is topping up the in-game accounts of popular computer games via SMS. First, the Trojan checks a user's bank card balance by sending an SMS request to the mobile banking service system. Then it hooks the response message with the account balance and transmits this information to cybercriminals. Next, the attackers request to top up the gaming account, indicating the victim’s phone number and the amount to transfer. The user then receives a text message with a verification code. The Trojan intercepts this message, transfers its contents to the cybercriminals, and finally they give the Trojan a command to send the verification code to confirm the transaction.
See below the example of money theft using this method:
Fig. 4. Top-up of Wargaming accounts. The Trojan hooks the messages from a bank’s billing system and, at the command of cybercriminals, sends a reply with a payment confirmation code to transfer RUB 2,475.
Other fraudulent schemes are implemented in a similar way. For example, the cybercriminals can pay for hosting using money from their victims’ mobile credit. To do this, the Trojan sends text messages with the necessary parameters to certain phone numbers. See below the example of such payment.
Fig. 5. Trojan texting the transfer amount (RUB 299 and RUB 1,000) and account names on the jino.ru hosting service to top up the balance of cybercriminals.
The attackers can steal money even if the victim does not have enough on the balance. They use the credit options provided by mobile carriers. As in other cases, the cybercriminals instruct the Trojan to send a text with the necessary parameters. Owners of the infected devices are oblivious to the money loss because the banker hides all suspicious messages.
Fig. 6. The fraudsters attempt to pay for the My.com service, but the amount on the victim’s mobile credit is not enough to do it. They command the Trojan to use the credit option and successfully perform the transfer. Thus, the device owner is left with a phone debt.
Additionally, the Trojan can transfer money from victims’ bank cards to cybercriminals’ accounts. However, financial institutions use specific algorithms to track suspicious transactions, so the probability of them being blocked is very high, while the above schemes allow the fraudsters to steal relatively small amounts for a long time and go unnoticed.
Another feature of Flexnet involves stealing confidential data. The cybercriminals can get ahold of accounts on social media, online stores, the websites of mobile carriers, and other online services. Knowing the victim’s mobile phone number, the cybercriminals try to log into their account. The service sends a text with a one-time verification code, which the Trojan hooks and sends to the attackers.
Fig. 7. Texts with one-time access codes of various services, hooked by the Trojan.
If the number used on the infected device is not registered with the target services, the cybercriminals can use it to register a new account. In the future, those compromised and newly created accounts can enter the black market and then be used to send spam and arrange phishing attacks.
With the assistance of the REG.ru registrar, several Flexnet command and control servers were blocked, and the cybercriminals no longer control some of the infected devices.
Doctor Web reminds owners of Android smartphones and tablets that software and games should only be installed from reliable sources such as Google Play. You are strongly advised to pay attention to the reviews of other users and use software from trusted developers.
Dr. Web for Android detects all known modifications of the Flexnet Trojan as parts of the
#Android, #banking_Trojan, #two_factor_authentication
Your Android needs protection
Use Dr.Web
- The first Russian Anti-virus for Android
- More than 140 million downloads on Google Play alone
- Free for users of Dr.Web home products
11.03 Study of the Belonard Trojan, exploiting zero-day vulnerabilities in Counter-Strike 1.6
March 11, 2019
Introduction
The game Counter-Strike 1.6 was released by Valve Corporation back in 2000. Despite its rather considerable age, it still has a large fan base. The number of players using official CS 1.6 clients reaches an average of 20,000 people online, while the overall number of game servers registered on Steam exceeds 5,000. Selling, renting, and promoting game servers is now deemed an actual business, and these services can be purchased on various websites. For example, raising a server’s rank for a week costs about 200 rubles, which is not much, but a large number of buyers make this strategy a rather successful business model.
Many owners of popular game servers also raise money from players by selling various privileges such as protection against bans, access to weapons, etc. Some server owners advertise themselves independently, while others purchase server promotion services from contractors. Having paid for a service, customers often remain oblivious as to how exactly their servers are advertised. As it turned out, the developer nicknamed, “Belonard”, resorted to illegal means of promotion. His server infected the devices of players with a Trojan and used their accounts to promote other game servers.
The owner of the malicious server uses the vulnerabilities of the game client and a newly written Trojan as a technical foundation for their business. The Trojan is to infect players’ devices and download malware to secure the Trojan in the system and distribute it to devices of other players. For that, they exploit Remote Code Execution (RCE) vulnerabilities, two of which have been found in the official game client and four in the pirated one.
Once set up in the system, Trojan.Belonard replaces the list of available game servers in the game client and creates proxies on the infected computer to spread the Trojan. As a rule, proxy servers show a lower ping, so other players will see them at the top of the list. By selecting one of them, a player gets redirected to a malicious server where their computer become infected with Trojan.Belonard.
Using this pattern, the developer of the Trojan managed to create a botnet that makes up a considerable part of the CS 1.6 game servers. According to our analysts, out of some 5,000 servers available from the official Steam client, 1,951 were created by the Belonard Trojan. This is 39% of all game servers. A network of this scale allowed the Trojan’s developer to promote other servers for money, adding them to lists of available servers in infected game clients.
We previously reported a similar incident with CS 1.6, where a Trojan could infect a player’s device via a malicious server. However, a user then had to approve the download of malicious files, while this time, a Trojan attacks devices unnoticed by the users. Doctor Web have informed Valve about these and other vulnerabilities of the game, but as of now, there is no data on when the vulnerabilities will be fixed.
Infection of a client
Trojan.Belonard consists of 11 components and operates under different scenarios, depending on the game client. If the official client is used, the Trojan infects the device using an RCE vulnerability, exploited by the malicious server, and then establishes in the system. A clean pirated client is infected the same way. If a user downloads an infected client from the website of the owner of the malicious server, the Trojan’s persistence in the system is ensured after the first launch of the game.
Let us touch upon the process of infecting a client in more detail. A player launches the official Steam client and selects a game server. Upon connecting to a malicious server, it exploits an RCE vulnerability, uploading one of the malicious libraries to a victim’s device. Depending on the type of vulnerability, one of two libraries will be downloaded and executed: client.dll (Trojan.Belonard.1) or Mssv24.asi (Trojan.Belonard.5).
Once on the victim’s device, Trojan.Belonard.1 deletes any .dat files that are in the same directory with the library process file. After that, the malicious library connects to the command and control server, fuztxhus.valve-ms[.]ru:28445, and sends it an encrypted request to download the file Mp3enc.asi (Trojan.Belonard.2). The server then sends the encrypted file in response.
This is a screenshot of a decrypted data packet from the server:
Installation into the client
Infection of the official or pirated client is performed using the specific feature of the Counter-Strike client. When launched, the game automatically downloads any ASI files from the game root.
The client downloaded from the website of the Trojan’s developer is already infected with Trojan.Belonard.10 (the file name is Mssv36.asi), but the trojan installs in the system differently than in clean versions of game clients. After installation of an infected client, Trojan.Belonard.10 checks for one of its components in the user's OS. If there is none, it drops the component from its body and downloads Trojan.Belonard.5 (the file name is Mssv24.asi) into its process memory. Like many other modules, Trojan.Belonard.10 changes the date and time of creation, modification, or access to the file, so that the Trojan’s files cannot be found by sorting the contents of the folder by creation date.
After installing a new component, Trojan.Belonard.10 remains in the system and acts as a protector of the client. It filters requests, files, and commands received from other game servers and transfers data about attempted changes to the client to the Trojan developer’s server.
Trojan.Belonard.5 receives information about the running process and the paths to the module in DllMain. If the process name is not rundll32.exe, it starts a separate threads for subsequent actions. In the running thread, Trojan.Belonard.5 creates the key [HKCU\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers] '<path to the executable file process>', assigns it the value “RUNASADMIN”, and checks the module name. If it is not “Mssv24.asi”, it copies itself in the “Mssv24.asi” module, deletes the version with a different name, and launches Trojan.Belonard.3 (the file name is Mssv16.asi). If the name matches, it immediately downloads and launches the Trojan.
Embedment in a clean client is performed by Trojan.Belonard.2. After download, it checks in DllMain the name of the process in which client.dll(Trojan.Belonard.1) is loaded. If it is not rundll32.exe, it creates a thread with the key [HKCU\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers] '<path to the executable file process>’, and assigns it the value “RUNASADMIN”. After that, it collects data about the user’s device and extracts information from the DialogGamePage.res file. Then it sends the collected data to the server of the Trojan developer in an encrypted format.
Collected system data structure:
In response, the server sends the Mssv16.asi file,(Trojan.Belonard.3). Meta-information about the new module is saved in the file DialogGamePage.res, while Trojan.Belonard.5 is removed from the user’s device.
Installation in the system
The process of ensuring persistence in the system starts with Trojan.Belonard.3. Once on the device, it removes Trojan.Belonard.5 and checks the process, in the context of which it runs. If it is not rundll32.exe, it saves two other Trojans to %WINDIR%\System32\: Trojan.Belonard.7 (the file name is WinDHCP.dll) and Trojan.Belonard.6 (davapi.dll). At the same time, unlike Trojan.Belonard.5, the seventh and sixth ones are stored within the Trojan in a disassembled form. The bodies of these two Trojans are divided into blocks of 0xFFFC bytes (the last block may be smaller). When saved to disk, the Trojan assembles the blocks together to obtain working files.
Having assembled the Trojans, Trojan.Belonard.3 creates a WinDHCP service to run WinDHCP.dll (Trojan.Belonard.7) in the context of svchost.exe. Depending on language settings, the OS uses texts in Russian or English to set service parameters.
WinDHCP service parameters:
- Service name: “Windows DHCP Service” or “Служба Windows DHCP”;
- Description: “Windows Dynamic Host Configuration Protocol Service” or “Служба протокола динамической настройки узла Windows”;
- The ImagePath parameter is specified as “%SystemRoot%\System32\svchost.exe -k netsvcs”, while ServiceDll specifies the path to the Trojan library.
After that, Trojan.Belonard.3 regularly checks if the WinDHCP service is running. If it is not running, it reinstalls the service.
Trojan.Belonard.7 is WinDHCP.dll with a ServiceMain exported function, installed on the infected device by an autorun service. Its purpose is to check the “Tag” parameter in the registry of the key “HKLM\\SYSTEM\\CurrentControlSet\\Services\\WinDHCP”. If it is set to 0, Trojan.Belonard.7 loads the davapi.dll library (Trojan.Belonard.6) and calls its exported function, passing a pointer to a SERVICE_STATUS as an argument, which reflects the status of the WinDHCP service. Then it waits for 1 second and checks the “Tag” parameter once more. If the value does not match 0, Trojan.Belonard.7 loads the spwinres.dll library (Trojan.Belonard.4), which is an older version of Trojan.Belonard.6. After that, it calls spwinres.dll’s exported function, passing a pointer to a SERVICE_STATUS as an argument, which reflects the status of the WinDHCP service.
The Trojan repeats these actions every second.
WinDHCP service parameters from our customer’s report:
<RegistryKey Name="WinDHCP" Subkeys="1" Values="11">
<RegistryKey Name="Parameters" Subkeys="0" Values="1">
<RegistryValue Name="ServiceDll" Type="REG_EXPAND_SZ" SizeInBytes="68" Value="%SystemRoot%\system32\WinDHCP.dll" />
</RegistryKey>
<RegistryValue Name="Type" Type="REG_DWORD" Value="32" />
<RegistryValue Name="Start" Type="REG_DWORD" Value="2" />
<RegistryValue Name="ErrorControl" Type="REG_DWORD" Value="0" />
<RegistryValue Name="ImagePath" Type="REG_EXPAND_SZ" SizeInBytes="90" Value="%SystemRoot%\System32\svchost.exe -k netsvcs" />
<RegistryValue Name="DisplayName" Type="REG_SZ" Value="Служба Windows DHCP" />
<RegistryValue Name="ObjectName" Type="REG_SZ" Value="LocalSystem" />
<RegistryValue Name="Description" Type="REG_SZ" Value="Служба протокола динамической настройки узла Windows" />
<RegistryValue Name="Tag" Type="REG_DWORD" Value="0" />
<RegistryValue Name="Data" Type="REG_BINARY" SizeInBytes="32" Value="f0dd5c3aeda155767042fa9f58ade24681af5fbd45d5df9f55a759bd65bc0b7e" />
<RegistryValue Name="Scheme" Type="REG_BINARY" SizeInBytes="16" Value="dcef62f71f8564291226d1628278239e" />
<RegistryValue Name="Info" Type="REG_BINARY" SizeInBytes="32" Value="55926164986c6020c60ad81b887c616db85f191fda743d470f392bb45975dfeb" />
</RegistryKey>
Before the startup of all functions, Trojan.Belonard.6 checks the “Tag” and “Data” parameters in the WinDHCP service registry. The “Data” parameter must contain an array of bytes used to generate the AES key. If there is none, the Trojan uses the openssl library to generate 32 random bytes, which will later be used to generate the encryption key. After that, the Trojan reads the “Info” and “Scheme” parameters of the WinDHCP service. In “Scheme”, the Trojan stores 4 parameters, encrypted with AES. “Info” stores the SHA256 hash of the list of installed programs.
Having collected this data, Trojan.Belonard.6 decrypts the address of the C&C server — oihcyenw.valve-ms[.]ru — and tries to establish a connection. If it fails, the Trojan uses DGA to generate domains in the .ru zone. However, an error in the domain generation code prevents the algorithm from creating the domains intended for the Trojan developer.
After sending the encrypted information, the Trojan receives a response from the server, decrypts it and saves the transferred files to %WINDIR%\System32\. This data contains the Trojans wmcodecs.dll (Trojan.Belonard.8) and ssdp32.dll (Trojan.Belonard.9).
Apart from the above functions, Trojan.Belonard.6 also triggers the following actions at random intervals:
- Search for running Counter-Strike clients;
- Launch of Trojan.Belonard.9;
- Connecting to the developer’s server.
Periods can be changed at the command from the C&C server.
Payload and distribution
Belonard also installs in new game clients found on the device. This is performed by Trojan.Belonard.8 and Trojan.Belonard.6.
Trojan.Belonard.8 initializes a container with data about Counter-Strike 1.6 client file names and their SHA256 hashes. Trojan.Belonard.6 starts to search for installed game clients. If the Trojan finds a running client, it checks the list of files and their SHA256 hashes against the data received from Trojan.Belonard.8. If it does not match, Trojan.Belonard.8 ends the clean client process, and then drops the file hl.exe to the game directory. This file is only needed to display the following error message upon loading the game “Could not load game. Please try again at a later time.” This allows the Trojan to gain time for replacing the files of the client. When it is done, the Trojan replaces hl.exe with a working file and the game starts without an error.
The Trojan deletes the following client files:
<path>\\valve\\dlls\\*
<path>\\cstrike\\dlls\\*
<path>\\valve\\cl_dlls\\*
<path>\\cstrike\\cl_dlls\\*
<path>\\cstrike\\resource\\*.res
<path>\\valve\\resource\\*.res
<path>\\valve\\motd.txt
<path>\\cstrike\\resource\\gameui_english.txt
<path>\\cstrike\\resource\\icon_steam.tga
<path>\\valve\\resource\\icon_steam.tga
<path>\\cstrike\\resource\\icon_steam_disabled.tga
<path>\\valve\\resource\\icon_steam_disabled.tga
<path>\\cstrike\\sound\\weapons\\fiveseven_reload_clipin_sliderelease.dll
<path>\\cstrike_russian\\sound\\weapons\\fiveseven_reload_clipin_sliderelease.dll
<path>\\cstrike_romanian\\sound\\weapons\\fiveseven_reload_clipin_sliderelease.dll
Depending on the OS language settings, the Trojan downloads English or Russian game menu files.
Modifications to the game client contain files of Trojan.Belonard.10, as well as an advertisement of the Trojan developer’s websites. When a player starts the game, their nickname will change to the address of the website where an infected game client can be downloaded, while the game menu will show a link to the VKontakte CS 1.6 community with more than 11,500 subscribers.
The Trojan’s payload is to emulate a number of fake game servers on the user’s device. To do this, the Trojan transfers information about the game client to the developer’s server and receives encrypted parameters for creating fake servers in response.
Trojan.Belonard.9 creates proxy game servers and registers them with the Steam API. Game server ports are defined sequentially from the lowest value of game_srv_low_port specified by the server. The server also sets the value for fakesrvbatch, which determines the number of protocol emulator threads. The emulator supports basic requests to a Goldsource engine game server: A2S_INFO, A2S_PLAYER, A2A_PING, receiving the “challenge steam/non-steam client” request, as well as the “connect” command of the Counter-Strike client. After responding to the “connect” command, the Trojan tracks the first and the second packet from the client.
After exchanging packets, the Trojan sends the last packet, svc_director, with a DRC_CMD_STUFFTEXT type of message, which enables the execution of arbitrary commands of the Counter-Strike client. This issue has been known to Valve since 2014 and has not been fixed yet. Thus, attempting to connect to the game proxy server, the player will be redirected to the malicious server. After that, the Trojan developer will be able to exploit the vulnerabilities of the user's game client to install Trojan.Belonard.
It is worth mentioning that Trojan.Belonard.9 contains a bug, which allows us to detect fake game servers, created by the Trojan. Moreover, some of those servers can be identified by the name: in the “Game” column, the fake server will have a string “Counter-Strike n”, where n can be a number from 1 to 3.
Encryption
Belonard uses encryption to store data in the Trojan and communicate with the server. It stores the encrypted name of the C&C server, as well as some lines of code and library names. There is one encryption algorithm with different constants for individual modules of the Trojan. The older versions of the Trojan used another algorithm to encrypt lines of code.
Decryption algorithm in Trojan.Belonard.2:
def decrypt(d):
s = ''
c = ord(d[0])
for i in range(len(d)-1):
c = (ord(d[i+1]) + 0xe2*c - 0x2f*ord(d[i]) - 0x58) & 0xff
s += chr(c)
return s
Decryption algorithm from the older versions:
def decrypt(data):
s = 'f'
for i in range(0,len(data)-1):
s += chr((ord(s[i]) + ord(data[i]))&0xff)
print s
Belonard uses a more sophisticated encryption to exchange data with the command and control server. Before sending the information to the server, the Trojan turns it into a different structure for each module. Collected data is encrypted by RSA using the public key stored within the malware. However, it must be mentioned that RSA is used for encryption of first 342 bytes of data only. If a module sends a packet of data larger than 342 bytes, only this much will be encrypted by RSA; the rest of the data will be encrypted by AES. The data for AES key is stored in a part, encrypted by RSA key. The data for AES key is stored in a part, encrypted by RSA key, along with the data needed for generating AES key, which is used by C&C server for encrypting its answers.
Then, after a zero byte added at the beginning of the packet, the data is sent to the C&C server. To which the server replies with an encrypted packet that contains information about the size of the payload and its SHA256 hash in its header, which is needed to be verified against the AES key.
The server may reply with
#pragma pack(push,1)
struct st_payload
{
_BYTE hash1[32];
_DWORD totalsize;
_BYTE hash2[32];
_DWORD dword44;
_DWORD dword48;
_DWORD dword4c;
_WORD word50;
char payload_name[];
_BYTE payload_sha256[32];
_DWORD payload_size;
_BYTE payload_data[payload_size];
}
#pragma pack(pop)
Decryption is performed with AES in a CFB mode with a block size of 128 bits and the key sent earlier to the server. The first 36 bytes of data are decrypted first, including the last DWORD value that shows the actual payload with the header. The DWORD value adds to the AES key and is hashed using SHA256. The resulting hash must match the first 32 decrypted bytes. The rest of the received data is decrypted only after this.
Botnet shutdown
Doctor Web’s analysts took all necessary measures in order to neutralize the Belonard trojan and stop botnet from growing. The delegation of the domain names used by the malware developer was suspended with the help of REG.ru domain name registrar. Since redirection from a fake game server to the malicious one happened via domain name, CS 1.6 players will no longer be in danger of connecting to the malicious server and getting infected by the Belonard trojan. This interrupted work of almost all the components of the malware.
Beyond that, Dr.Web’s virus database was updated with entries to detect all the Belonard components. The modules that switched to DGA are currently monitored. After all the necessary actions were taken, the sinkhole server registered 127 infected game clients. In addition to that, our telemetry showed that Dr.Web anti-virus detected modules of the Trojan.Belonard on 1004 devices of our clients.
At the present moment, Belonard botnet can be considered neutralized; but in order to ensure the safety of Counter-Strike game clients, it is necessary to close current vulnerabilities.
Indicators of compromise
SHA-1 hashes
8bbc0ebc85648bafdba19369dff39dfbd88bc297 - Backdoored Counter-Strike 1.6 client
200f80df85b7c9b47809b83a4a2f2459cae0dd01 - Backdoored Counter-Strike 1.6 client
8579e4efe29cb999aaedad9122e2c10a50154afb - Backdoored Counter-Strike 1.6 client
ce9f0450dafda6c48580970b7f4e8aea23a7512a - client.dll - Trojan.Belonard.1
75ec1a47404193c1a6a0b1fb61a414b7a2269d08 - Mp3enc.asi - Trojan.Belonard.2
4bdb31d4d410fbbc56bd8dd3308e20a05a5fce45 - Mp3enc.asi - Trojan.Belonard.2
a0ea9b06f4cb548b7b2ea88713bd4316c5e89f32 - Mssv36.asi - Trojan.Belonard.10
e6f2f408c8d90cd9ed9446b65f4b74f945ead41b - FileSystem.asi - Trojan.Belonard.11
15879cfa3e5e4463ef15df477ba1717015652497 - Mssv24.asi - Trojan.Belonard.5
4b4da2c0a992d5f7884df6ea9cc0094976c1b4b3 - Mssv24.asi - Trojan.Belonard.5
6813cca586ea1c26cd7e7310985b4b570b920803 - Mssv24.asi - Trojan.Belonard.5
6b03e0dd379965ba76b1c3d2c0a97465329364f2 - Mssv16.asi - Trojan.Belonard.3
2bf76c89467cb7c1b8c0a655609c038ae99368e9 - Mssv16.asi - Trojan.Belonard.3
d37b21fe222237e57bc589542de420fbdaa45804 - Mssv16.asi - Trojan.Belonard.3
72a311bcca1611cf8f5d4d9b4650bc8fead263f1 - Mssv16.asi - Trojan.Belonard.3
73ba54f9272468fbec8b1d0920b3284a197b3915 - davapi.dll - Trojan.Belonard.6
d6f2a7f09d406b4f239efb2d9334551f16b4de16 - davapi.dll - Trojan.Belonard.6
a77d43993ba690fda5c35ebe4ea2770e749de373 - spwinres.dll - Trojan.Belonard.4
8165872f1dbbb04a2eedf7818e16d8e40c17ce5e - WinDHCP.dll - Trojan.Belonard.7
027340983694446b0312abcac72585470bf362da - WinDHCP.dll - Trojan.Belonard.7
93fe587a5a60a380d9a2d5f335d3e17a86c2c0d8 - wmcodecs.dll - Trojan.Belonard.8
89dfc713cdfd4a8cd958f5f744ca7c6af219e4a4 - wmcodecs.dll - Trojan.Belonard.8
2420d5ad17b21bedd55309b6d7ff9e30be1a2de1 - ssdp32.dll - Trojan.Belonard.9
File names
client.dll - Trojan.Belonard.1
Mp3enc.asi - Trojan.Belonard.2
Mssv16.asi - Trojan.Belonard.3
spwinres.dll - Trojan.Belonard.4
Mssv24.asi - Trojan.Belonard.5
davapi.dll - Trojan.Belonard.6
WinDHCP.dll - Trojan.Belonard.7
wmcodecs.dll - Trojan.Belonard.8
ssdp32.dll - Trojan.Belonard.9
Mssv36.asi - Trojan.Belonard.10
FileSystem.asi - Trojan.Belonard.11
Domain names
csgoogle.ru
etmpyuuo.csgoogle.ru
jgutdnqn.csgoogle.ru
hl.csgoogle.ru
half-life.su
play.half-life.su
valve-ms.ru
bmeadaut.valve-ms.ru
fuztxhus.valve-ms.ru
ixtzhunk.valve-ms.ru
oihcyenw.valve-ms.ru
suysfvtm.valve-ms.ru
wcnclfbi.valve-ms.ru
reborn.valve-ms.ru
IP addresses
37.143.12.3
46.254.17.165
March 11, 2019
Trojan.Belonard gets installed on a device upon connecting to a malicious game server. The Trojan exploits vulnerabilities of the game client and is able to infect both the Steam versions and the pirated builds of Counter-Strike 1.6 (CS 1.6). Once on the victim’s computer, the Trojan replaces the files of the client and creates proxies to infect other users. Such a scheme usually serves to create a network of infected computers, which can be used to promote game servers for money.
Despite the game’s long history, the number of players using official CS 1.6 clients is estimated at 20,000 people online, while the total number of game servers registered on Steam exceeds 5,000. Selling, renting, and promoting game servers is now deemed actual business, and these services can be purchased with various websites. Server owners often pay for this, oblivious that their server can be promoted by malware. These illegal methods were used by the developer nicknamed “Belonard”; his server infected other players with a Trojan to promote other servers via their accounts.
At the moment, the number of malicious CS 1.6 servers created by the Belonard Trojan hits 39% of all official servers registered on Steam. The CS community has been facing this issue for a long time; but, unfortunately, up until now, anti-viruses have only been able to identify parts of the threat, but not the Belonard Trojan in its entirety. Now all modules of the Belonard Trojan are successfully detected by Dr.Web’s products and do not pose a threat to our customers. Learn more about the Belonard Trojan and its operation in our study.
01.03 Doctor Web’s February 2019 virus activity review
March 1, 2019
In February Dr.Web’s statistics showed a 9.73% decrease in the number of unique threats compared to January. Malware activity this month barely topped the numbers of December 2018, but for some threats there are clear dynamics. For example, the activity of the JS.Miner.28 which had been increasing in January, continued to grow and finally outperformed its competitor - JS.Miner.11. At the same time, Trojan.Starter.7394 grew by 14.29% compared to January, when Trojan.DownLoader26.28109 on the other hand, had a three-fold decrease in the number of detected threats. Additionally, the amount of URLs added to Dr.Web’s database of non-recommended and dangerous websites decreased by 1.68%. And the technical support statistics registered a decrease in the number of applications submitted by the ransomware victims.
Principal trends in February
- Decreased number of threats found in email traffic
- Spike of activity among adware, torrent clients and unwanted programs
According to Doctor Web’s statistics servers
Threat of the month:
- Adware.Softobase.12
- Installation adware that spreads outdated software and changes the browser’s settings. Installation adware that spreads outdated software and changes the browser’s settings.
- Adware.Ubar.13
- A torrent client designed to install unwanted programs on a user’s device.
- Trojan.Starter.7394
- Trojan designed for launching other malicious software on a victim’s device.
- Adware.Downware.19283
- The sort of adware that is usually distributed as an installer for pirated software. Upon installation, it changes a browser’s settings and may install other software without asking for the user’s permission. The sort of adware that is usually distributed as an installer for pirated software. Upon installation, it changes a browser’s settings and may install other software without asking for the user’s permission.
- Trojan.MulDrop8.60634
- Install—install the Trojan Installs malware in a system. All the components necessary for installation are usually stored inside the MulDrop itself.
Decreased amount of threats from:
Trojan.Encoder.11432 - Infamous ransomware also known as WannaCry. Blocks access to users’ data by encrypting it and demanding payment for decrypting the data.
- Trojan.DownLoader26.28109
- Downloads and runs malicious software without the user’s permission.
Statistics for malware discovered in email traffic
- JS.DownLoader.1225
- A family of malicious JavaScripts. They download and install malicious software on a computer.
- W97M.DownLoader.2938
- A family of downloader Trojans that exploit vulnerabilities in office applications. Designed for downloading other malware to a compromised computer.
- Exploit.ShellCode.69
- Another malicious Microsoft Office Word document. This one uses vulnerability called CVE-2017-11882. Использует vulnerability CVE-2017-11882.
- Exploit.Rtf.CVE2012-0158
- Modified Microsoft Office document. Exploits CVE2012-0158 vulnerability in order to run malicious code.
- JS.Miner.28
- JavaScript miner called «CryptoLoot». Its purpose is to mine the Monero cryptocurrency in a browser without asking for the user’s permission. Often used as an alternative to the CoinHive miner.
Trojan.PWS.Stealer.23680 - A family of Trojans designed to steal passwords and other confidential information stored on an infected computer.
Encryption ransomware
In February, Doctor Web’s technical support was most often contacted by victims of the following encryption ransomware:
Trojan.Encoder.858 - 31.39% of requests;Trojan.Encoder.18000 - 10.18% of requests;Trojan.Encoder.11464 - 4.67% of requests;Trojan.Encoder.11539 - 4.67% of requests;Trojan.Encoder.567 - 2.34% of requests;Trojan.Encoder.25814 - 2.34% of requests.
Dr.Web Security Space for Windows protects against encryption ransomware
Dangerous websites
During February 2019, 288 159 URLs of non-recommended websites were added to the Dr.Web database.
| January 2019 | February 2019 | Dynamics |
|---|---|---|
| + 293 012 | + 288 159 | -1.68% |
Malicious and unwanted programs for mobile devices
Last month Dr.Web’s analysts found many malicious and unwanted programs designed for Android OS. The analysts also uncovered an advertising campaign that helped spread trojans of Android.HiddenAds family.
In February our researchers added a few new entries for detecting the Android.FakeApp type of malware.
Beyond that, malware developers were spreading a dangerous trojan called Android.RemoteCode.2958, which downloaded other malware by executing remote code. A
The most noticeable February event related to mobile malware:
- The spreading of malicious programs on Google Play.
Find out more about malicious and unwanted programs for mobile devices in our special overview.
Learn more with Dr.Web
01.03 February 2019 mobile malware review from Doctor Web
March 1, 2019
The last winter month of 2019 was not a quiet time for users of Android devices. In mid-February, Doctor Web specialists found about 40 Trojans of the
PRINCIPAL TRENDS IN FEBRUARY
- The detection of new malicious programs on Google Play
Mobile threat of the month
Last month, Doctor Web’s malware analysts revealed 39 Trojans of the
The Trojans were constantly displaying ads, overlaying the interface of other programs and even the operating system. As a result, infected devices became very inconvenient to work with.
For more information about these malicious applications read the news article on our website.
According to statistics collected by Dr.Web for Android
Android.Backdoor .682.originAndroid.Backdoor .2080- Trojans that execute the commands of attackers and allow them to control infected mobile devices.
Android.RemoteCode .197.origin- A malicious application designed to download and execute arbitrary code.
Android.HiddenAds .261.originAndroid.HiddenAds .659- Trojans designed to display intrusive advertisements. They are distributed as popular applications by other malicious programs, which in some cases, covertly install them in the system catalog.
- Adware.Zeus.1
Adware.Patacore .1.originAdware.Patacore .168- Adware.Jiubang.2
- Android.Toofan.1.origin
- Unwanted program modules that incorporate themselves into Android applications and display obnoxious ads on mobile devices.
Threats on Google Play
Apart from the
Android users were also targeted by the Trojan
Another Trojan, dubbed
In addition, the Dr.Web virus database was updated with an entry for applications with the built-in unwanted
Several games turned out to contain other unwanted advertising modules, dubbed
We continue detecting more and more malicious and unwanted applications on Google Play, so owners of mobile devices running Android are advised to only install programs from well-known and trusted developers. In all cases, pay attention to the reviews of other users. To protect smartphones and tablets, we recommend you install Dr.Web for Android.
Your Android needs protection!
Use Dr.Web
- First Russian anti-virus for Android
- Over 140 million downloads—just from Google Play!
- Available free of charge for users who purchase Dr.Web home products
01.02 Doctor Web’s overview of malware detected on mobile devices in January 2019
February 1, 2019
In the past month, Android devices were targeted with a lot of malware. In early January, Doctor Web’s virus analysts investigated the Trojan
PRINCIPAL TRENDS IN JANUARY
- The detection of malicious programs on Google Play
- The detection of an Android spyware Trojan
Mobile threat of the month
In early January, the Dr.Web virus database was updated to detect the spyware
Upon command from its command and control server,
According to statistics collected by Dr.Web for Android
-
Android.Backdoor .682.origin - A Trojan that executes cybercriminals’ commands and helps them control infected mobile devices.
-
Android.RemoteCode .197.origin - A malicious application designed to download and execute arbitrary code.
Android.HiddenAds .261.originAndroid.HiddenAds .659- Trojans designed to display intrusive advertisements. They are distributed as popular applications by other malicious programs; which in some cases, covertly install themselves in the system catalog.
Android.Mobifun .4- A Trojan that downloads various applications.
- Adware.Zeus.1
Adware.AdPush .29.originAdware.Patacore .1.originAdware.Patacore .168- Adware.Jiubang.2
- Unwanted program modules that incorporate themselves into Android applications and display obnoxious ads on mobile devices.
Threats on Google Play
Apart from
In addition, our malware analysts investigated a variety of downloaders. Cybercriminals presented them as useful programs, such as currency converters, official banking applications, and other software. These Trojans were dubbed
One of those banking Trojans was
In late January, Doctor Web’s experts discovered new clicker Trojans from the family
The Doctor Web specialists continue monitoring the situation with mobile viruses and promptly update the Dr.Web virus database to detect and remove malicious and unwanted programs. Thus, smartphones and tablets with Dr.Web for Android are safe and secure.
Your Android needs protection
Use Dr.Web
- The first Russian Anti-virus for Android
- More than 140 million downloads on Google Play alone
- Free for users of Dr.Web home products
01.02 Doctor Web’s January 2019 virus activity review
February 1, 2019
2018 may have been a rollercoaster in terms of info security and privacy, but at the end of the year, we finally witnessed a long-awaited break. Cybercriminals decreased their activity during the holidays; but despite that, our statistics show a few peculiar and disturbing trends for January.
In the middle of the month, cryptocurrency holders were attacked by a monitoring tool that was disguised as a downloader Trojan. Later this month we registered a 28% increase in devices infected with the Trojan.Winlock.14244. Beyond that, our email traffic statistics show a 50% higher rate of distribution of malicious documents exploiting Microsoft Office vulnerabilities.
Principal trends in January
- Increased number of devices infected by OS blockers
- More frequent use of Microsoft Office exploits
- Spike of adware activity
Threat of the month
In January Doctor Web’s researchers discovered a Trojan in a cryptocurrency monitoring tool. This malware downloaded other Trojans on a victim’s PC and used them to steal private data, including passwords from cryptocurrency wallets.
According to Doctor Web’s statistics servers
Growing threats of the month:
- Trojan.Winlock.14244
- Ransomware Trojan. Blocks or limits user’s access to the Windows operating system, and its functionalities. In order to unlock the system, a user must transfer money to the cybercriminals.
- Adware.Downware.19283
- The sort of adware that is usually distributed as an installer for pirated software. Upon installation, it changes a browser’s settings and may install other software without asking for the user’s permission.
- Trojan.DownLoader26.28109
- Downloads and runs malicious software without the user’s permission.
Trojan.Encoder.11432 - Infamous ransomware also known as WannaCry. Blocks access to users’ data by encrypting it and demanding payment for decrypting the data.
Decreased amount of threats from:
- Trojan.Starter.7394
- Trojan designed for launching other malicious software on a victim’s device.
- Trojan.MulDrop8.60634
- Installs malware in a system. All the components necessary for installation are usually stored inside the MulDrop itself.
- Trojan.Zadved.1313
- Adware. Alters search results and redirects users to advertising websites.
Statistics for malware discovered in email traffic
Increased number of threats from:
- JS.DownLoader.1225
- A variety of malicious code written in JavaScript and designed to download and install other malware on a computer.
- Exploit.Rtf.CVE2012-0158
- Modified Microsoft Office document. Exploits CVE2012-0158 vulnerability in order to run malicious code.
- W97M.DownLoader.2938
- A family of downloader Trojans that exploit vulnerabilities in office applications and can download other malicious programs to a compromised machine.
- Exploit.ShellCode.69
- Another malicious Microsoft Office Word document. This one uses vulnerability called CVE-2017-11882.
Trojan.PWS.Stealer.23680 - A family of Trojans designed to steal passwords and other confidential information stored on an infected computer.
Increased activity of following threats:
Trojan.Nanocore.23 - This dangerous malware is from a remote access Trojan family(RAT). It has infected 4 times more devices than in the previous month. Nanocore allows complete remote control of an infected device, including control over the camera and microphone.
- JS.Miner.28
- Malicious JavaScript code. Its purpose is to mine Monero cryptocurrency in a browser without asking for a user’s permission. Often used as an alternative to the CoinHive miner.
Decreased the number of threats from:
Trojan.Fbng.8 - The Trojan also known as FormBook. It’s designed to steal private data, but can also receive commands from the developer’s server.
Trojan.Encoder.26375 - A malicious program from the encryption ransomware family. This Trojans encrypts files and demands a ransom for data decryption.
- JS.Miner.11
- This name belongs to a group of malicious JavaScript code. Its purpose is to mine Monero cryptocurrency in a browser without asking for a user’s permission. Uses CoinHive miner.
Encryption ransomware
In January, Doctor Web’s technical support was most often contacted by victims of the following encryption ransomware:
Trojan.Encoder.858 — 26.32% of requests;Trojan.Encoder.11464 — 12.63% of requests;Trojan.Encoder.11539 — 7.72% of requests;- Trojan.Encoder.25574 — 1.58% of requests;
Trojan.Encoder.567 — 5.96% of requests;Trojan.Encoder.5342 — 0.88% requests;
Dr.Web Security Space for Windows protects against encryption ransomware
Dangerous websites
During January 2019, 293,012 URLs of non-recommended websites were added to the Dr.Web database.
| December 2018 | January 2019 | Dynamics |
|---|---|---|
| + 257 197 | + 293 012 | +13.93% |
Malicious and unwanted programs for mobile devices
Throughout January InfoSec researchers continued discovering malware apps hidden in the Google Play Store. Among them — downloaders from the
Among the most notable January events related to mobile malware we can report the following:
- The detection of new Android Trojans on Google Play;
- Distribution of a dangerous spyware.
Find out more about malicious and unwanted programs for mobile devices in our special overview.
Learn more with Dr.Web
22.01 Doctor Web has detected malicious activity in a cryptocurrency monitoring tool
January 22, 2019
In Autumn 2018 cryptocurrency mining enthusiasts began noticing messages suggesting they install a tool for monitoring cryptocurrency prices. The app developers promised a certified, trusted and free widget. At first glance, this program doesn’t raise any suspicions. It has a valid digital signature and works exactly as promised. But behind this seemingly flawless functionality, there’s a hidden catch: it will steal your private data.
Upon installation, the program compiles and runs malicious code downloaded from the developer’s personal Github account. Once completed, it uploads Trojan.PWS.Stealer.24943, also known among malware developers as AZORult, to a victim’s device. This Trojan allows cybercriminals to steal a vast amount of private data, including passwords from cryptocurrency wallets.
In most cases encountered by Doctor Web researchers, this malware was distributed in English on forums dedicated to cryptocurrency mining. It was seen less often on Polish and Russian forums dedicated to the same subject.
At present, the Trojan is still available on several file exchanges, as well as on the Github account mentioned earlier. Dr.Web products successfully detect and remove this type of malware. That said, our cybersecurity researchers strongly advise you to timely renew your anti-virus subscription and install all the latest updates.
Find out more about this Trojan
#cryptocurrency #mining #Trojan
2018
28.12 Doctor Web: Mobile malware review for 2018
December 28, 2018
In the past year, Android mobile device owners were again targeted by many malicious and unwanted programs, many of which were distributed via Google Play. At the same time, the tendency noted in 2017 to use various means for disguising and hiding Trojans to make them harder to detect has noticeably increased.
One of the main threats to mobile device users over the past 12 months were Android bankers, attacking financial institution customers around the world. Malware that could download and run arbitrary code from the Internet posed a serious threat as well.
Virus writers were actively distributing Trojans to implement fraudulent schemes, as well as using other malicious apps to obtain illegal income. In addition, cybercriminals tried to launch mobile cryptocurrency mining and even used Trojan clippers to change the numbers of electronic wallets in the clipboard of Android devices.
The mobile firmware infection issue at the production stage remains relevant. In spring, Doctor Web virus analysts uncovered a Trojan embedded in the image of the Android operating system. More than 40 mobile device models were compromised.
Users were also threatened with malicious spyware throughout the year.
Principal trends of the year
- New detections of malicious and unwanted programs on Google Play
- Attempts of virus writers to hinder the detection of malware
- Banking Trojans attacking customers of financial institutions worldwide
- Trojans using Android Accessibility Service to automate malicious activities
- Spread of Trojan clippers capable of changing e-wallet numbers in clipboard
Most remarkable events
At the beginning of the year, information security specialists detected the spread of the
In March, Doctor Web reported a new case of detecting the
Attackers are increasingly using a variety of methods to prevent the detection of malicious and unwanted programs. In 2018, this trend continued. A popular way to reduce malware visibility is to use loaders. They can help keep Trojans and other dangerous software out of antivirus software’s reach for a longer time and cause less suspicion among potential victims. Using such loaders, cybercriminals can distribute various malware such as Trojan spyware.
In April, the
In August, we detected the
However, Trojan downloaders are increasingly used to distribute Android bankers. In July,
Later, several similar malicious programs were detected on Google Play. One of them was given the name
Loaders are used to infect mobile devices with other malware. In October, virus analysts detected the Trojan
Multi-component malicious applications are becoming increasingly common. Each of the modules performs certain functions, which allows attackers, if necessary, to expand the Trojans’ capabilities. This operation principle helps hinder threat detection. Virus writers can quickly update these plugins and add new ones, leaving the Trojan body with a minimum set of functions and making it less noticeable.
Doctor Web experts discovered this combination in February and dubbed it
After decryption and launch, the module downloaded another image with another hidden plugin, which loaded and launched the
Examples of images with encrypted modules of
For more information regarding this Trojan, refer to the news article on our website.
In August, Doctor Web analysts investigated the Trojan clipper
When copying the e-wallet number to clipboard,
Mobile malware landscape
According to Dr.Web’s detection statistics for Android products in 2018, Android devices were most often targeted by adware Trojans, malware that downloaded malicious and unwanted software, as well as Trojans that executed cybercriminal commands.
Android.Backdoor .682.origin- Trojan that executes cybercriminal commands to launch malicious activities.
Android.Mobifun .4- Representatives of a Trojan family designed to display unwanted ads.
Android.HiddenAds - Representatives of a Trojan family designed to display unwanted ads.
Android.DownLoader .573.origin- Malware that downloads applications indicated by virus writers.
Android.Packed .15893- Detects Trojans protected by a program packer.
Android.Xiny .197- Trojan primarily intended for downloading and removing applications.
- Android.Altamob.1.origin
- Malware that downloads applications indicated by virus writers.
Among the unwanted and potentially dangerous applications found on Android devices during the year, ad-displaying modules were the most common. Applications for downloading and installing various software were also detected on smartphones and tablets.
- Adware.Zeus.1
- Adware.Altamob.1.origin
- Adware.Jiubang
- Adware.Adtiming.1.origin
Adware.Adpush .601- Adware.SalmonAds.3.origin
- Adware.Gexin.2.origin
They were unwanted modules that software developers and virus writers had injected into applications to display aggressive advertising.
Tool.SilentInstaller .1.originTool.SilentInstaller .6.origin
Potentially dangerous programs designed to download and install other applications.
Banking Trojans
Banking Trojans are still a serious threat to mobile device owners. These malicious applications steal credentials to access the accounts of customers of financial institutions, bank card details, and other confidential data that can be used to steal money. Over the past 12 months, Dr.Web for Android detected over 110,000 of these Trojans on smartphones and tablets. The dynamics for Android banker detection is shown in the following graph:
When authors of the banking Trojan
In March, Doctor Web experts detected the
When launched,
In autumn, virus analysts investigated the banker
Later, our experts uncovered
Fraud
Cybercriminals are increasingly using malware for mobile Android devices for fraudulent campaigns. In 2018, we detected many of these Trojans. One of them is
Over the year, our specialists found other Trojans on Google Play that could load any webpage on the command of the command and control server. The list included
Cybercriminals also actively distributed the
Over the year, malware analysts discovered dozens of fraudulent applications
Prospects and trends
Next year mobile device users will again face attacks from banking Trojans and virus writers will continue improving their functionality. It is likely that more Android bankers will turn into multi-function malware capable of performing a wide range of tasks.
The number of fraudulent applications and advertising Trojans will increase also. Virus writers will hardly abandon attempts to make money on cryptocurrency using the computing power of Android devices. We also cannot eliminate the possibility of further cases of firmware infection in the future.
Cybercriminals will improve methods for circumventing antiviruses, as well as new restrictions and protective features built in the Android operating system. Rootkits and Trojans that could bypass these barriers are not out of the question. Malicious programs with new operating principles and new ways to obtain confidential data could emerge on the market. For example, they might use mobile device and eye-tracking techniques to obtain information about text being typed. Furthermore, new malware might use machine learning algorithms and other means of artificial intelligence for the benefit of attackers.
Your Android needs protection
Use Dr.Web
- The first Russian Anti-virus for Android
- More than 140 million downloads on Google Play alone
- Free for users of Dr.Web home products
28.12 Doctor Web’s overview of malware detected on mobile devices in December 2018
December 28, 2018
In early December, Brazilian Android device users were threatened by a banking Trojan that spread via Google Play. Some other malicious applications were detected in the official Android app store as well. At the end of December, Doctor Web experts discovered a new version of commercial spyware that collects masses of confidential information.
PRINCIPAL TRENDS IN DECEMBER
- Distribution of new dangerous banking Trojan among Brazilian users
- Detection of a new version of potentially dangerous spyware for surveilling mobile device users
- Detection of malicious and unwanted applications on Google Play
Mobile threat of the month
In early December, virus analysts investigated the banking Trojan,
Read more about this Trojan in the news article, published by Doctor Web.
According to statistics collected by Dr.Web for Android
Android.Backdoor .682.origin- A Trojan that executes cybercriminals’ commands and helps them control infected mobile devices.
Android.HiddenAds .261.originAndroid.HiddenAds .659- Trojans designed to display intrusive advertisements. They are distributed under the guise of popular applications by other malicious programs, which in some cases covertly install themselves in the system catalog.
Android.DownLoader .573.origin- A Trojan that downloads other malware applications.
Android.Mobifun .4- A Trojan that downloads various applications.
- Adware.Zeus.1
Adware.Patacore .1.originAdware.Adpush .2514- Adware.AdPush.29.origin
- Adware.Jiubang.2
- Unwanted program modules that incorporate themselves into Android applications and display obnoxious ads on mobile devices.
Threats on Google Play
A lot of malicious and unwanted programs were detected on Google Play over the month. The list includes the adware Trojans
We have also detected programs with the unwanted modules
Cybercriminals kept spreading fraudulent applications. The Dr.Web virus database has been updated to detect the Trojans
Virus analysts have also discovered the Trojan
Cyberespionage
Among the potentially dangerous programs detected in December was a new version of the commercial spyware
Android users are targeted by various malicious and unwanted programs, distributed both online and via Google Play. Apart from that, attackers can install malware themselves if they get physical access to mobile devices. To protect smartphones and tablets, we recommend users install Dr.Web for Android.
Your Android needs protection
Use Dr.Web
- The first Russian Anti-virus for Android
- More than 140 million downloads on Google Play alone
- Free for users of Dr.Web home products
28.12 Doctor Web’s December 2018 virus activity review
December 28, 2018
The last month of 2018 did not see any noticeable events related to information security. Among the malware detected on computers and in emails, malicious JavaScript scenarios remain prevalent. Most of them are designed to download other malware to an infected device and mine cryptocurrencies using the infected computer’s hardware. Like in November, the multicomponent banking malware
Principal trends of December
- Distribution of malicious scripts
- The emergence of new malware for Android
According to Doctor Web statistics servers
- JS.DownLoader
- A family of malicious scripts written in JavaScript and designed to download and install other malware programs on a computer.
Trojan.SpyBot.699 - A multi-module banking Trojan. It allows cybercriminals to download and launch various applications on an infected device and makes it possible for their commands to be executed. The Trojan is intended to steal money from bank accounts.
- JS.Miner
- A family of JavaScript scenarios designed to covertly mine cryptocurrencies.
- VBS.DownLoader
- A family of malicious VBS scripts designed to download and install other malware on a computer.
Statistics for malware discovered in email traffic
- JS.DownLoader
- A family of malicious scripts written in JavaScript and designed to download and install other malware programs on a computer.
Trojan.SpyBot.699 - A multi-module banking Trojan. It allows cybercriminals to download and launch various applications on an infected device and their commands to be executed. The Trojan is intended to steal money from bank accounts.
W97M.DownLoader - A family of downloader Trojans that exploit vulnerabilities in office applications and can download other malicious programs to a compromised computer.
- JS.Miner
- A family of JavaScript scenarios designed to covertly mine cryptocurrencies.
Encryption ransomware
In December, cases involving the following ransomware modifications were registered by Doctor Web’s technical support service:
Trojan.Encoder.858 — 22.34% of requests;Trojan.Encoder.11464 — 11.71% of requests;Trojan.Encoder.11539 — 10.17% of requests;- Trojan.Encoder.25574 — 5.08% of requests;
Trojan.Encoder.567 — 4.93% of requests;Trojan.Encoder.5342 — 1.54% of requests.
Dr.Web Security Space for Windows protects against encryption ransomware
Dangerous websites
A total of 257,197 URLs from non-recommended websites were added to the Dr.Web database in December 2018.
| November 2018 | December 2018 | Dynamics |
|---|---|---|
| + 231,074 | + 257,197 | +11.3% |
Malicious and unwanted programs for mobile devices
In December, Doctor Web experts found the malicious application
The following December events related to mobile malware were most noteworthy:
- a banking Trojan targeted Brazilian users;
- a new version of dangerous spyware was detected;
- many malicious and unwanted applications were found on Google Play.
Find out more about malicious and unwanted programs for mobile devices in our special overview.
Learn more with Dr.Web
28.12 Doctor Web’s annual virus activity review for 2018
December 28, 2018
The year 2018 saw the spread of Trojans for coverting cryptocurrency mining. The malicious software targeted not only Microsoft Windows users, but also various Linux device owners. Encoders that encrypt files on infected computers and demand a ransom for decryption are not losing their momentum either. In February and April, Doctor Web experts detected two new additions to this family. One of them was unable to repair the files even after payment, despite the claims of virus writers.
In late March 2018, we investigated
Throughout the year, cybercriminals had been luring their victims to fake websites and sending them bulk emails. At the beginning of the year, the attackers were sending emails on behalf of the Mail.Ru Group, trying to get ahold of their users’ logins and passwords; while in spring, they switched to sending fake cash reward offers. In summer, spammers continued pestering domain administrators, posing as representatives of the RU-CENTER hosting provider and demanding payments to renew the registration of domain names owned by potential victims.
In 2018, users of Google Android mobile devices did not escape the attention of virus writers. Back in January, information security experts detected infected games that were downloaded from Google Play more than 4,500,000 times. A little later, we discovered Android mining software that could infect 8% of various smart devices, such as TVs, streaming boxes, routers, and other IoT devices.
Throughout the year, malware analysts had been warning users about the spread of banking Trojans for Android with the widest range of functions. Analysts also detected several fake apps posing as popular Android applications used for phishing. Some mobile Trojans signed their victims up to chargeable services, others earned money through invisible advertising, and we also discovered Trojans that downloaded other malware onto the infected device.
Principal trends of the year
- The spread of Trojan miners, designed to covertly mine cryptocurrencies using hardware of infected computers
- New malicious programs for Linux and IoT
- More malware for devices running Google Android
Most notable events of 2018
In February 2018, a new Trojan encoder was detected and added to the Dr.Web virus database as
Another encoder, known as
Unfortunately, the code of this Trojan contained more than one error, so even its authors eventually found it impossible to decrypt the corrupted files. This once again emphasizes the importance of timely backup of all important files.
In late March, Doctor Web analysts investigated the spyware
A month and a half later, our experts managed to find the author of these Trojans. The malware and its modifications were stealing stored passwords and cookies from Chrome browsers, information from Telegram, FileZilla FTP client, images, and office documents according to a predetermined list. One of the Trojan’s modifications was actively advertised on various Telegram channels. Logins and passwords to cloud storages, where the archives with the stolen files were uploaded to, were embedded in the Trojans, so that Doctor Web’s virus analysts identified both the author of malware and all their customers. This investigation was described in detail in the corresponding article on our website.
Another investigation made public in late May, centered around the author of spyware that stole personal data from Steam game platform users. The attacker used several money extraction methods at once including, fraudulent roulettes (auctions, where users can sell different game items) won by bots but created by the fraudster, as well as malware rentals. To spread the Trojans, the cybercriminal used social engineering methods and fake websites.
Operating principles of spyware
In summer, Doctor Web analysts warned users about the new miner
In September, Doctor Web specialists discovered the banking malware
When users attempted to open the online banking page of various Brazilian financial organizations, the Trojan replaced it with a fake login and password entry form. In some cases, it prompted the user to specify the verification code from the text message they received from the bank. This information was then transmitted to attackers. Our virus analysts have identified over 340 unique instances of
Another investigation ended in mid-October. We looked into the activities of a cybercriminal in the cryptocurrency market. The attacker used a whole range of malware, such as Eredel, AZORult, Kpot, Kratos, N0F1L3, ACRUX, Predator The Thief, Arkei, Pony, and many more.To achieve their goals, they created several phishing websites to replicate real Internet resources. Among them were a fake cryptocurrency exchange, a pool of devices for Dogecoin mining, allegedly leased at competitive prices, and a partner program offering a reward for viewing Internet websites.
Another project is an online lottery with the prize consisting of a certain amount of Dogecoin cryptocurrency. Lotteries were designed in so that it was impossible for a third-party participant to win; only the organizer could make money. Other initiatives included, traditional phishing schemes and an affiliate program offering Dogecoins for browsing web pages with ads. When a user tried to download a client for that purpose, they would actually download a Trojan from the cybercriminal's website. Read more on these types of fraud in our article.
In November, the malware
According to Doctor Web analyst information, some 1,400 users have been affected by this Trojan by now, with the first cases occurring in 2013. See more information on this incident in the newsletter on our website.
Virus situation
According to Doctor Web statistics servers, 2018 saw many malicious JavaScript scripts embed third-party content into web pages and mine cryptocurrencies, as well as Trojan spyware and malicious loaders.
- JS.Inject
- A family of malicious JavaScripts that injects a malicious script into the HTML code of webpages.
JS.BtcMine - A family of JavaScript scenarios designed to covertly mine cryptocurrencies.
Trojan.SpyBot.699 - A multi-module banking Trojan. It allows cybercriminals to download and launch various applications on an infected device and their commands to be executed. The Trojan is intended to steal money from bank accounts.
JS.DownLoader - A family of malicious scripts written in JavaScript and designed to download and install other malware programs on a computer.
- Trojan.Starter.7394
- A Trojan whose main purpose is to launch an executable file with a specific set of malicious functions in an infected system.
- Trojan.Encoder.567
- An encryption ransomware Trojan that encrypts files and demands a ransom to decrypt the compromised data.
- JS.Miner
- A family of JavaScript scenarios designed to covertly mine cryptocurrencies.
- VBS.BtcMine
- A family of VBS scripts designed to covertly mine cryptocurrencies.
A similar picture is observed in the analysis of mail traffic; but overall, spyware Trojans are much more common in email attachments:
JS.DownLoader - A family of malicious scripts written in JavaScript and designed to download and install other malware programs on a computer.
- JS.Inject
- A family of malicious JavaScripts that injects a malicious script into the HTML code of webpages.
JS.BtcMine - A family of JavaScript scenarios designed to covertly mine cryptocurrencies.
Trojan.SpyBot.699 - A multi-module banking Trojan. It allows cybercriminals to download and launch various applications on an infected device and their commands to be executed. The Trojan is intended to steal money from bank accounts.
- Trojan.Encoder.567
- A malicious program belonging to the family of encryption ransomware Trojans that encrypt files and demand a ransom to decrypt compromised data.
Trojan.DownLoader - A family of malicious programs designed to download other malware to the compromised computer.
Trojan.PWS.Stealer - A family of Trojans designed to steal passwords and other confidential information stored on an infected computer.
- JS.Miner
- A family of JavaScript scenarios designed to covertly mine cryptocurrencies.
Encryption Trojans
Compared with the previous year, the number of user calls to Doctor Web technical support due to encryptions by Trojan encoders dropped in 2018. We saw a slight rise in the number of victims from May to August. The fewest calls were recorded in January, while November saw the greatest.
According to statistics, the
The most common ransomware programs in 2018:
Trojan.Encoder.858 — 19,83% requests;Trojan.Encoder.11464 — 9,64% requests;Trojan.Encoder.567 — 5,08% requests;Trojan.Encoder.11539 — 4,79% requests;- Trojan.Encoder.25574 — 4,46% requests.
Dr.Web Security Space for Windows protects against encryption ransomware
Linux malware
In 2018, malicious programs for Linux most often manifested themselves as miners. The first such attacks on Linux servers were detected by Doctor Web virus analysts in early May 2018. Cybercriminals connected to a server via SSH, selected a login and a password using bruteforce and then disabled the iptables utility controlling the firewall after successful authorization on the server. Then the attackers uploaded the miner utility and the configuration file to the compromised server. Some time later, they started using malware for this purpose. In August, virus analysts discovered the
Having investigated the server where this malware was downloaded from, our experts discovered Trojans with similar functions for Microsoft Windows. Read more about this incident in the article on our website.
In November, we discovered another Linux miner dubbed
Dangerous and non-recommended websites
Parental (Office) control and SpIDer Gate databases are regularly updated with new addresses of non-recommended and potentially dangerous websites. There are fraudulent and phishing resources, as well as malware distributing pages. This year’s trends for adding information to these databases is shown in the diagram below.
Network fraud
Internet fraud is a very common criminal business. In 2018, online criminals remained notably active. In early March, were detected bulk phishing emails, allegedly sent on behalf of the Mail.Ru Group. The attackers wanted to obtain the credentials of the Mail.Ru email server users; and thus used a fake website, which mimicked the design of this popular email service.
In May, we told our readers about another online fraud mechanism, which took advantage of generous offers for social benefits. The victims were lured to specifically created websites by spam and bulk text messages. Once there, they were offered an opportunity to receive refunds for overpayed public utilities, medical services, or compulsory insurance. To get the money, the criminals demanded a small sum be transferred to their account. Of course, no refunds was given to users who transferred the money.
Doctor Web experts revealed more than 110 similar websites between February and May 2018. In August, the attackers began sending letters to domain administrators registered with the RU-CENTER hosting provider. The cybercriminals demanded money for renewing soon-expiring domains, but indicated the details of their own Yandex.Money wallet instead of the official banking details of RU-CENTER.
Attackers often send emails on behalf of well-known companies. The popular Aliexpress online store was no exception. The criminals invited its regular customers to visit a special online store with numerous discounts and gifts.
The “store” was actually a page with links to various fraudulent marketplaces that sold substandard goods or goods at inflated prices. We are still not sure how the attackers managed to accumulate a database with the contact information of real Aliexpress customers.
Mobile devices
In the past year, Android device users were bombarded with malware. The list included banking Trojans trying to steal money from the users from Russia, Turkey, Brazil, Spain, Germany, France, and other states. In spring, virus analysts discovered the Trojan
In November, Doctor Web experts investigated the software
In December, we detected the Trojan
Throughout the year, virus writers were actively spreading Android bankers, based on the open source code of the Android Trojan
A lot of banking malware ended up on devices thanks to Trojan downloaders such as,
In 2018, Android users were again targeted by Trojans of the
Another Trojan of this family, added to the Dr.Web virus database as
To obtain money illegally, cybercriminals used other malicious programs as well, including Trojan miners such as
In autumn, Doctor Web experts discovered the
Virus writers actively used Trojans for fraudulent purposes. A popular scheme in 2018 was to offer of reward for participating in polls. When launched, such Trojans displayed a webpage created by the attackers. There, potential victims were asked to answer a few questions. To get money from users, some kind of verification or other form of payment was required; but after sending the funds, the users of the infected devices did not receive anything. Clicker malware that opened websites with ads and automatically clicked on them were also popular. See more details in the article.
Another type of fraud was to subscribe owners of Android mobile devices to expensive services. Trojans such as
In the year 2018, new cases of Android firmware infection were detected. We reported one of them in March. Virus analysts detected the Trojan
Prospects and possible trends
Even though 2018 saw no serious virus outbreaks, new waves of bulk distribution are quite possible in the future. The number of malicious scripts in various languages will continue to grow. Such scripts will not only target devices running Microsoft Windows, but also other systems, specifically Linux.
New Trojans for covertly mining cryptocurrency using the hardware of infected devices will appear as well. Cybercriminals are likely to remain interested in the Internet of Things, too. Trojans for smart devices already exist, but their number will surely grow in the near future.
There is also strong reason to believe that virus writers will be creating and distributing new Trojans for Google Android in 2019. This year’s trends have demonstrated that advertising and banking Trojans will most likely be prevalent among mobile malware.
Finally, the number of fraudulent emails is unlikely to decrease. Online fraudsters will continue inventing new ways to deceive Internet users. Be that as it may, new threats to information security will certainly appear in the coming year. This means it is very important to provide reliable and up-to-date antivirus protection for our devices.
