All the news Subscribe to news
20.01 Dr.Web CureIt! updated
January 20, 2021
Now Dr.Web CureIt! features the most up-to-date version of Dr.Web Anti-rootkit API (12.5.17.202012070).
20.01 SpIDer Agent for Windows updated in Dr.Web 11.5 for Windows and Dr.Web Enterprise Security Suite 11.0
January 20, 2021
Now the registration wizard displays up-to-date information about Dr.Web Security Space trial licenses.
The update will be downloaded and installed automatically.
19.01 Doctor Web’s overview of virus activity on mobile devices in 2020
January 19, 2020
In 2020, trojans allowing cybercriminals to generate illegal profit were among the most widespread Android malware. Malicious apps capable of downloading and executing arbitrary code, as well as trojans designed to download and install software without users’ knowledge and consent were among them. In addition, malware creators actively used various adware trojans and clicker trojans that loaded websites and clicked on web links.
Backdoors allowing attackers to remotely control infected devices and trojans turning Android gadgets into proxy servers for cybercriminals to redirect traffic also posed a serious threat.
Cyber espionage continues to remain relevant. In the last 12 months, Android device owners were targeted by numerous applications allowing the attackers to spy on them and control their actions. Many of these apps are not malicious alone, but do pose a potential threat since they can be used with or without users’ permission.
There were also new threats on Google Play which is the official app store and the source for other digital content for the Android OS. Google Play is considered to be the most reliable place to download software and games, but attackers are still able to spread malware and unwanted apps there. Numerous adware trojans, bogus apps, and malware that subscribed users to premium services and were capable of executing arbitrary code, were among the threats Doctor Web’s specialists uncovered on the platform. Moreover, banking trojans and applications with built-in unwanted adware modules were also spread through Google Play.
In 2020, malicious actors actively exploited the COVID-19 pandemic to spread malware. Amid worldwide troubles, banking trojans, ransomware, spyware trojans, fraudulent software and other threats were seen targeting Android users.
PRINCIPAL TRENDS IN 2020
- New threats on Google Play
- Various packers and utilities used to protect malware and unwanted apps
- New trojans utilizing different techniques to conceal malicious functionality
- Adware trojans and malicious downloaders prevail among threats detected on Android devices
Most notable events
In March, Doctor Web’s malware analysts uncovered the trojan dubbed
Throughout the year our malware analysts discovered other trojans from the same family as
In May, Doctor Web’s specialists traced the spread of the new modification of the
Already in December, Doctor Web reported on the
Over the past 12 months, Doctor Web’s specialists found numerous threats on the Google Play app store. Adware trojans from the
Using the pandemic to their benefit, cybercriminals actively spread various Android malware as legitimate and useful software.
In March, for example, users were attacked by the
In May, the
Another COVID-19-related spyware trojan, dubbed
Upon launching, however, the trojan only loaded the original website in its window and proceeded to spy on the victim. It sent various confidential information to cybercriminals, including SMS, location data, phone call logs and contacts. It could also record the surrounding environment using the device’s microphone, take pictures and record videos using the camera.
Many banking trojans were among the malware spread amid the pandemic.
Furthermore, some banking trojans were spreading under the guise of apps that could allegedly help users receive financial support from the government. Amid the pandemic and difficult financial situation related to it many countries did, in fact, allocate the money to support their citizens – and cybercriminals took advantage of this. For example, the
These bankers attempted to steal users’ logins and passwords to access their mobile banking accounts. To do so, the bankers displayed phishing windows on-top of legitimate banking software UI. Moreover, they were able to steal banking card information, intercept and send SMS, execute USSD commands, block the screen of the infected device and perform other malicious actions upon attackers’ commands.
During the pandemic, the topics of welfare allowances, payouts and compensation was also regularly exploited. In particular, scammers were actively spreading various modifications of the
This type of malware loaded fraudulent websites where users were asked to provide their personal information, allegedly to verify whether any payout or compensation was available. After that, websites imitated the database search and users were asked to provide their banking card information to pay a commission for the money “transfer” or to pay a fee for the documents “registration”. But in reality, victims didn’t receive any payout or compensations. They were just giving away their own money and providing cybercriminals with their confidential information.
Statistics
According to statistics collected by Dr.Web for Android anti-virus products, malicious applications were most often detected on Android devices. They accounted for 80.72% of the total number of identified threats. Adware with a 15.38% detection share was the second most common threat. Riskware ranked third as it was detected in 3.46% of cases. Potentially unwanted applications accounted for a mere 0,44% of all detections.
Trojans capable of downloading and executing arbitrary code, as well as downloading and installing other software, were among the most common malicious programs. They accounted for over 50% of the malware detected on Android devices. With that, various modifications of the
Adware trojans were among the most active threats as well. They accounted for almost a quarter of all malicious apps identified on protected devices. Numerous modifications of the
Android.RemoteCode .246.originAndroid.RemoteCode .6122Android.RemoteCode .256.origin- Malicious applications that download and execute arbitrary code. Depending on their modification, they can load various websites, open web links, click on advertisement banners, subscribe users to premium services and perform other actions.
Android.HiddenAds .530.originAndroid.HiddenAds .1994- Trojans designed to display obnoxious ads and distributed as popular applications. In some cases, they can be installed in the system directory by other malware.
Android.Triada .491.originAndroid.Triada .510.origin- Multifunctional trojans that perform various malicious actions. This malware belongs to the trojan family that infects other apps’ processes. Some modifications of this family were found in the firmware of Android devices that attackers implanted during manufacturing. Some of them can also exploit various vulnerabilities to gain access to protected system files and folders.
Android.Click .311.originAndroid.Click .334.originAndroid.Click .348.origin- Trojans that automatically load websites and click on links and banners. They can be spread as harmless apps so users don’t perceive them as threatening.
Applications that alerted Android users to nonexistent or fake threats and prompted them to buy the full version of software to “cure” their devices were some of the most common unwanted apps. Various spyware apps were also detected quite often.
Program.FakeAntiVirus .2.origin- The detection name for adware programs that imitate anti-virus software. These apps inform users of nonexistent threats, mislead them and demand they purchase full version software.
Program.FreeAndroidSpy .1.origin- Program.Mrecorder.1.origin
Program.SpyPhone .4.originProgram.MobileTool .2.originProgram.Reptilicus .7.originProgram.MonitorMinor .1.origin- Software that monitors Android user activity and may serve as a tool for cyber espionage. These apps can track device locations, collect information from SMS and social media messages, copy documents, photo and video, spy on phone calls, etc.
- Program.RiskMarket.1.origin
- An app store that contains trojan software and recommends users install it.
- Program.WapSniff.1.origin
- An Android program designed to intercept messages from WhatsApp.
Programs capable of downloading and running other apps without installing them were among the most common riskware. Dr.Web for Android anti-virus products also detected a large number of apps protected by special packers and obfuscators on Android devices. Cybercriminals often use these tools to protect malware and unwanted software from anti-viruses.
Tool.Obfuscapk .1- The detection name for applications protected by the Obfuscapk obfuscation tool. This tool is used to automatically modify and scramble Android apps’ source code to make reverse engineering more difficult. Cybercriminals use the tool to protect malicious applications from being detected by anti-virus programs.
Tool.SilentInstaller .6.originTool.SilentInstaller .14.originTool.SilentInstaller .11.originTool.SilentInstaller .13.originTool.SilentInstaller .7.originTool.SilentInstaller .10.originTool.VirtualApk .1.origin- Riskware platforms that allow applications to launch APK files without installation. They create a virtual runtime environment that does not affect the main operating system.
Tool.Rooter .3- A utility designed to obtain root privileges on Android devices. Ordinary users, cybercriminals and malware may all use it.
Tool.Packer .1.origin- A packer tool designed to protect Android applications from unauthorised modification and reverse engineering. This tool is not malicious itself, but it can be used to protect both harmless and malicious software.
The most widespread adware were advertising modules displaying ads in the notification panel of Android devices. They also displayed obnoxious banners atop other apps’ windows and the operating system UI.
Adware.AdPush .36.originAdware.AdPush .6547- Adware.MyTeam.2.origin
- Adware.Mobby.5.origin
- Adware.Toofan.1.origin
Adware.SspSdk .1.origin- Adware.Jiubang.2
- Adware.Gexin.2.origin
- Adware.Dowgin.5.origin
- Adware.Zeus.1
- Program modules incorporated into Android applications and designed to display obnoxious ads on Android devices. Depending on their family and modifications, they can display full screen ads and block other apps’ windows, show various notifications, create shortcuts and load websites.
Banking trojans
In 2020, the intensity of attacks using banking trojans remained approximately the same throughout the first three quarters. A noticeable increase in their activity was observed only in spring, which coincided with the beginning of the pandemic.
With the onset of autumn and the second wave of the coronavirus outbreak, the number of banking trojan detections significantly rose and remained at high levels until the end of the year. With that, the peak of their activity fell on September. The reason for this was that in August, the Cerberus banking trojan source code was leaked to the public, making it possible for other malware creators to build their own bankers based on the code. Dr.Web anti-virus products detect various samples of Cerberus as modifications of the
Banking malware found its way onto the Android devices using various means, including downloads from malicious websites. Apart from the bogus coronavirus-related sites mentioned earlier, cybercriminals created many other fake online resources. For instance,
Cybercriminals that attacked Japanese users were creating fictitious post office and delivery services websites from which various Android banking trojans were downloaded onto victims’ devices.
The Google Play app catalogue was another common spreading route. In June, for example, Doctor Web’s virus analysts discovered several banking trojans there. One them was
In June, the
Prospects and trends
Cybercriminals are continuously searching for innovative ways to protect their malware. In 2021, we can expect the emergence of more multifunctional threats and trojans protected with various packers designed to interfere with anti-virus software detection capabilities.
Malware creators will continue using malicious software to generate illicit profits. In turn, users will likely face new adware trojans, software downloaders and clickers created and used for various criminal profiteering schemes.
Cyber espionage and targeted attacks will also remain a threat. Finally, it is highly likely that malware designed to infect Android devices by exploiting system or network vulnerabilities will emerge. To protect your Android device from malware, unwanted programs and other threats, we recommend installing Dr.Web for Android. It is also necessary to install all the available system updates and latest versions of the software you use.

Your Android needs protection.
Use Dr.Web
- The first Russian anti-virus for Android
- Over 140 million downloads—just from Google Play
- Available free of charge for users of Dr.Web home products
19.01 Doctor Web’s annual virus activity review for 2020
January 19, 2021
In 2020, one of the most common threats users faced en masse were trojan droppers, which distribute and install other malware and numerous advertising applications that interfere with the normal functioning of devices. Various modifications of trojan downloaders running executable files with a set of malicious functions were also a common threat. In addition, hacker groups were actively distributing trojan programs that exploit the functionality of popular remote desktop software. The Doctor Web virus laboratory registered several RAT malware attacks, which allows attackers to remotely control infected computers and deliver a malicious payload.
Also this year, Doctor Web analysts investigated several large-scale, targeted attacks aimed at the corporate sector. During the investigation, several trojan families that infected the computers of various state institutions were discovered.
The most active threats among mail traffic included banking trojans, stealers, various modifications of backdoors written in VB.NET, as well as malicious scripts that redirected users to dangerous and unwanted websites. The attackers also used email to actively distribute programs that exploit vulnerabilities in Microsoft Office documents.
Even though most of the detected malware targeted Windows users, computer owners operating macOS were also at risk. During the year, macOS users were continually threatened by trojan encoders, spyware and rootkits that hid running processes. Disguised as various common and even useful applications, adware installers were also actively distributed. They functioned to place potentially dangerous payload onto computers. Users who disabled the built-in security systems and downloaded applications from untrusted sources were most at risk.
Android mobile device users were also threatened by adware, spyware and banking trojans, as well as all sorts of malicious droppers that downloaded other malicious applications and executed arbitrary code. Much of the malware was distributed via the Google Play catalog.
Principal trends of the year
- A growing number of targeted attacks, including those involving ransomware
- An increase in the number of phishing attacks and campaigns using social engineering
- New threats to macOS
- Rapid distribution of Android malware throughout Google Play
Most notable events of 2020
In February, Doctor Web virus analysts reported that the VSDC video editor’s download link had been compromised on the popular software platform CNET. Instead of the genuine program, visitors received a modified installer bundled with malicious software, allowing cybercriminals to access the infected computers remotely. The remote access was accomplished using the TeamViewer components and the BackDoor.TeamViewer malicious library, which established an unauthorized connection. Using the backdoor, attackers were able to deliver payload as other malicious applications to infected devices.
In March, Doctor Web virus analysts reported that certain websites, from blogs to corporate pages created using WordPress CMS, had been compromised. The JavaScript script embedded in the hacked pages’ code redirected visitors to a phishing site where they were prompted to install an important security update for Chrome. The downloadable file was a malware installer that allowed attackers to remotely access and control the infected computers. This time, attackers again used legitimate TeamViewer components with a trojan library that established a connection and concealed the running program.
In the summer 2020, the Doctor Web virus laboratory released a large-scale study of malware used in APT attacks on government institutions in Kazakhstan and Kyrgyzstan. During the investigation, analysts discovered a previously unknown family of multi-module trojan programs called XPath, designed to gain entry into computers and then perform various malicious actions at the command of intruders. The trojan used a complex infection mechanism in which each program component corresponds to a specific stage of malware operation. The XPath family also has a rootkit for hiding network activity and any trace of its presence within a compromised system.
The Doctor Web virus laboratory later received new samples of malware found on the infected computers in the local network of a Kyrgyzstan state institution. The most interesting finding was a multi-module backdoor called ShadowPad, which according to our data, may be an evolution of another multi-module APT backdoor — PlugX, also previously found lurking in compromised state networks. Code similarities between the ShadowPad and PlugX malware samples, as well as some intersections in their network infrastructure, were covered in a separate study.
In September, Doctor Web reported the detection of a spear phishing campaign using social engineering, aimed at several Russian fuel and energy companies. For the initial infection, attackers used emails with malicious attachments. Upon being opened, backdoors were installed that allowed cybercriminals to take control of infected computers. Analysis of documents, malware, and the infrastructure used allowed us to conclude one of the Chinese APT groups carried out the attack.
In November, Doctor Web virus analysts detected a phishing attack targeting corporate users. The emails in question contained trojan malware that covertly install and launch Remote Utilities software. The software components were also included in the attachment. The attackers used social engineering to trick possible victims into opening the malicious attachments.
This email was disguised as an official notification requesting the recipient appear at the Prosecutor's office for investigative actions in a criminal case.
Malware landscape
Analysis of Dr.Web’s statistics showed that in 2020, users were most often exposed to trojan droppers and downloaders that installed other malicious applications and executed arbitrary code. Additionally, trojans and scripts that covertly mine cryptocurrency on devices continued to threaten users.
- Trojan.BPlug.3867
- A malicious browser extension designed to perform web injections into viewed webpages and block third-party advertisements.
- Trojan.Starter.7394
- A trojan whose main purpose is to launch an executable file with a specific set of malicious functions within an infected system.
- Trojan.MulDrop9.2530
- A trojan dropper that distributes and installs malware.
- Win32.HLLW.Rendoc.3
- A network worm that, among other channels, spreads via removable storage media.
- VBS.BtcMine.13
- A malicious script written in VBS and designed to covertly mine cryptocurrencies.
- JS.IFrame.634
- A script incorporated into HTML pages. Upon opening these pages, the script redirects users to malicious or unwanted websites.
- Trojan.Encoder.11432
- A multi-component network worm known as WannaCry. The malicious program itself has several components; the trojan encoder is only one of them.
- Trojan.InstallCore.3553
- A family of obfuscated installers that uses unscrupulous methods to distribute the bundled software.
- Win32.Virut.5
- A polymorphic virus that infects executable files. It functions for managing infected computers using IRC channel.
- Trojan.BtcMine.3165
- A trojan program that silently mines cryptocurrency using the computing power of the infected devices.
Email traffic was dominated by bankers, backdoors and malware that exploit vulnerabilities in Microsoft Office programs. In addition, cybercriminals distributed scripts for concealed mining, as well as for phishing and redirecting users to unwanted and potentially dangerous sites.
Trojan.SpyBot.699 - A multi-module banking trojan that allows cybercriminals to download and launch various applications on an infected device and run arbitrary code.
Exploit.CVE-2012-0158 - A modified Microsoft Office document that exploits the CVE-2012-0158 vulnerability in order to run malicious code.
- W97M.DownLoader.2938
- A family of downloader trojans that exploits vulnerabilities in Microsoft Office documents and can download other malicious programs onto a compromised computer.
- JS.Redirector.407
- Malicious JavaScript script placed in the code of web pages. It is designed to redirect users to phishing or advertising sites.
Exploit.ShellCode.69 - A malicious Microsoft Office Word document that exploits the CVE-2017-11882 vulnerability.
- JS.Phishing.70
- Malicious JavaScript script that generates a phishing web page.
- VBS.BtcMine.13
- A malicious script written in VBS and designed to covertly mine cryptocurrencies.
- JS.BtcMine.86
- A malicious script written in JavaScript and designed to covertly mine cryptocurrencies.
- BackDoor.SpyBotNET.25
- A backdoor written in .NET and designed to operate with a file system (to copy, create, delete, etc. catalogs), terminate processes, and take screenshots.
- JS.Miner.11
- A family of JavaScript scripts designed to covertly mine cryptocurrencies.
Encryption ransomware
In 2020, Doctor Web’s virus laboratory registered 18.4% fewer requests to decode files encoded by trojan ransomware than in 2019. See the request dynamics for 2020 below.
The most common ransomware programs in 2020:
- Trojan.Encoder.26996
- A trojan encoder known as STOP Ransomware. It attempts to obtain a private key from the server, and in cases of failure, uses the hardcoded one. It is one of the few encoders that encrypts user data with the Salsa20 stream cipher.
- Trojan.Encoder.567
- A trojan encoder written in Delphi. This encoder has many versions that use various encryption algorithms. Generally it is distributed as email attachments.
- Trojan.Encoder.29750
- This trojan encoder belongs to the Limbo/Lazarus family. It carries the hardcoded key, which is used when it is not possible to connect to the C&C server and upload the private portion of the generated key.
- Trojan.Encoder.858
- A trojan encoder known as Troldesh Ransomware. It is compiled using Tor, which is initialized immediately upon launch. The connection is made to one of the bridges, the address of which is hardcoded into the trojan. It uses the AES algorithm in CBC mode to encrypt user data.
- Trojan.Encoder.11464
- A trojan encoder known as Scarab Ransomware. It was first discovered in June 2017. It was initially distributed via the Necurs botnet. It uses the AES-256 and RSA-2048 algorithms to encrypt user data.
Dangerous and non-recommended websites
SpIDer Gate's Parental (Office) Control and Web Antivirus databases are regularly updated with new addresses of non-recommended and potentially dangerous websites. Many fraudulent and phishing resources, as well as malware distributing pages can be found there. The largest number of such websites was recorded in the third quarter, dropping to the lowest in the second quarter. See the dynamics of the updates to the databases over the last year below.
Network fraud
In February, Doctor Web experts warned users about the launch of a large-scale phishing campaign on Instagram. The campaign was based on messages to users about a one-off payment to all Russian citizens. Fraudsters provided information as extracts from news releases, using relevant fragments from real broadcasts. With that, the advertising video has additional frames showing someone using a phishing website and browsing its pages, which were presented as official resources from the Russian Ministry of Economic Development.
During 2020, Doctor Web’s Internet analysts identified numerous fraudulent websites presented as official resources of state organizations. Cybercriminals most commonly offered non-existent compensation to targets or proposed that they invest in large companies.
To get the promised benefits, visitors were most often coaxed into entering their personal data including banking card details and proceed with the advance payment. Thus, victims lost money and unknowingly transferred their personal data to scammers.
Mobile devices
In 2020, Android devices users were threatened by various malicious and unwanted applications. For example, users often encountered all modifications of adware trojans displaying obnoxious notifications and banners. Many malicious programs of the
In addition, in March, virus analysts discovered a multifunctional trojan on Google Play —
Various trojan downloaders were also a common threat. They included a large number of malicious apps from the
Potentially dangerous utilities that allow apps to run without installation were also widespread. They included the
To spread malicious and unwanted applications, cybercriminals actively exploited the COVID-19 pandemic. For example, they created various fraudulent websites where victims were tricked into installing reference or medical apps related to the coronavirus, as well as applications for obtaining welfare assistance. In fact, spyware, various bankers, ransomware, and other malware were downloaded from such websites to the Android devices.
During the year, Doctor Web’s virus analysts identified many malicious applications of the
Also in 2020, the virus laboratory uncovered numerous Android applications that enable owner tracking. These apps could be used for cyber espionage and collecting a wide range of personal information — from correspondence, photos and documents, to personal contact lists, device location, contact information, phone conversations, etc.
Prospects and possible trends
The past year has demonstrated the steady spread of not only mass malware, but also APT threats faced by organizations worldwide.
Digital ransomware is expected to continue spreading in 2021, with targeted attacks using encryption ransomware increasingly targeting private companies and the corporate sector. The expansion of the RaaS model (Ransomware as a Service) has facilitated this development. Possible reductions in information security costs may also lead to the number of such incidents rising rapidly.
Banking and adware trojans, miners and encoders, as well as spyware will continue to threaten users in 2021. Besides that, new fraudulent schemes and phishing campaigns are likely to emerge with the help of attackers who will try to obtain money and personal data.
Owners of devices running macOS, Android, Linux, and other OS will remain targets and malware will continue to spread to these platforms. Attacks on IoT devices are also expected to become more frequent and sophisticated. So, it’s safe to say that cybercriminals will continue using any means necessary to continue developing these attacks. That being said, users need to comply with information security rules and apply reliable anti-virus tools on all devices.
Find out more with Dr.Web
19.01 Dr.Web KATANA 1.0 updated
January 19, 2021
Now that Windows server versions are supported, Dr.Web KATANA is available under the Dr.Web Server Security Suite license to further enhance the security of file and application servers and keep them protected from brand-new threats.
The user guide has also been made current.
The update will be downloaded and installed automatically.
19.01 Doctor Web’s 2020 mobile malware activity overview
January 19, 2020
19.01 Doctor Web presents its 2020 malware overview
January 19, 2021
In 2020, major large-scale threats were not only the spread of malware, but also growing online fraud. According to statistics, Dr.Web anti-virus software most often neutralized various trojans, spyware, malicious scripts and numerous loaders that downloaded other dangerous and unwanted programs. The outgoing year was also marked by attacks on a number of enterprises and organizations. During an in-depth investigation Doctor Web virus analysts uncovered and studied many samples of specialized malware. Owners of Android mobile devices did not go unnoticed either; the attackers actively distributed malicious applications using various means including through the Google Play catalog. Read about these and other events in the final review of malware activity over the past year on our website.
11.01 Agent updated in Dr.Web 12.0 for Windows, Dr.Web Enterprise Security Suite 12.0, and Dr.Web AV-Desk 13.0
January 11, 2021
Now the registration wizard displays up-to-date information about Dr.Web Security Space trial licenses.
The update will be downloaded and installed automatically.
2020
31.12 Doctor Web’s December 2020 virus activity review
December 31, 2020
Our December analysis of Dr.Web’s statistics revealed a 11.49% decrease in the total number of threats compared to the previous month. The number of unique threats also dropped by 24.51%. Adware and malware browser extensions still made up the majority of detected threats. Email traffic was dominated by various malware that includes the
The number of requests to decrypt files affected by trojan encoders decreased by 31.54% compared to November.
Principal trends in December
- A decline in malware spreading activity
- Adware remain among the most active threats
- A decline in the number of unique threats in email traffic
According to Doctor Web’s statistics service
The most common threats in December:
- Adware.SweetLabs.4
- An alternative app store and add-on for Windows GUI from the creators of Adware.Opencandy.
- Trojan.BPlug.3867
- A malicious browser extension designed to perform web injections into viewed webpages and block third-party advertisements.
- Adware.Elemental.17
- Adware that spreads through file sharing services as a result of link spoofing. Instead of normal files, victims receive applications that display advertisements and install unwanted software.
- Adware.Softobase.15
- Installation adware that spreads outdated software and changes the browser settings.
- Adware.Downware.19741
- Adware that often serves as an intermediary installer of pirate software.
Statistics for malware discovered in email traffic
Trojan.SpyBot.699 - A multi-module banking trojan that allows cybercriminals to download and launch various applications on an infected device and run arbitrary code.
- Tool.KMS.7
- Hacking tools used to activate illegal copies of Microsoft software.
- W97M.DownLoader.2938
- A family of downloader trojans that exploits vulnerabilities in Microsoft Office documents and can download other malicious programs to a compromised computer.
- Trojan.PackedNET.405
- An obfuscated version of a stealer written in VB.NET. It can be used as a keylogger and is designed to steal confidential data.
- Exploit.ShellCode.69
- A malicious Microsoft Office Word document that exploits the CVE-2017-11882 vulnerability.
Encryption ransomware
In December, Doctor Web’s virus laboratory registered 28.41% fewer requests to decode files encoded by trojan ransomware than in November.
Trojan.Encoder.26996 — 37.14%Trojan.Encoder.567 — 20.00%- Trojan.Encoder.29750 — 3.17%
- Trojan.Encoder.11549 — 1.27%
- Trojan.Encoder.30356 — 1.27%
Dr.Web Security Space for Windows protects against encryption ransomware
Dangerous websites
In December 2020, Doctor Web added 105,840 URLs to the Dr. Web database of non-recommended websites.
November 2020 | December 2020 | Dynamics |
---|---|---|
+ 154,606 | + 105,840 | - 31.54% |
Malicious and unwanted programs for mobile devices
In December, Dr.Web’s statistics for Android devices confirmed an almost 25.34% decrease in the total number of threats on protected devices compared with November. Users most often encountered adware trojans, as well as malicious applications that download other software and execute arbitrary code.
Another threat,
Also in December, various banking trojans attacked users of Android devices.
The following December events related to mobile malware are the most noteworthy:
- A decline in malware activity on protected devices
- The detection of new malicious program on Google Play
Find out more about malicious and unwanted programs for mobile devices in our special overview.
Learn more with Dr.Web
31.12 Malware on Google Play, banking trojans and other events in Dr.Web’s December 2020 mobile malware activity review
December 31, 2020
31.12 Doctor Web’s December 2020 review of virus activity on mobile devices
December 31, 2020
In December, Dr.Web anti-virus products for Android detected 25.34% less threats than in November. According to detection statistics, the number of malware decreased by 25.35%, unwanted software by 21%, riskware by 68.1%, and adware by 25.01%. Android users most commonly encountered ad trojans, malware capable of executing an arbitrary code, and various downloader trojans.
In the middle of the month, Doctor Web malware analysts uncovered a multifunctional trojan on Google Play. Dubbed
PRINCIPAL TRENDS IN DECEMBER
- A decreased number of threats detected on Android devices
- Advertising and downloader trojans remain among the most active Android threats
- Cybercriminals continue exploiting the COVID-19 pandemic when organizing their attacks
According to statistics collected by Dr.Web for Android
Android.RemoteCode .284.origin- A malicious application that downloads and executes arbitrary code. Depending on its modification, it can load various websites, open web links, click on advertising banners, subscribe users to premium services and perform other actions.
Android.Triada .510.origin- A multifunctional trojan performing various malicious actions. This malware belongs to the trojan family that infects other apps’ processes. Some modifications of this family were found in the firmware of Android devices, which attackers implanted during manufacturing. Some of them can also exploit various vulnerabilities to gain access to the protected system files and folders.
Android.HiddenAds .1994Android.HiddenAds .518.origin- Trojans designed to display obnoxious ads and distributed as popular applications. In some cases, they can be installed in the system directory by other malware.
Android.Click .348.origin- A malicious application that loads websites, clicks on banner ads, and follows links. It can be distributed as harmless programs without arousing suspicion among users.
Program.FreeAndroidSpy .1.originProgram.NeoSpy .1.origin- Software that monitors Android user activity and may serve as a tool for cyber espionage. These apps can track device locations, collect information from SMS and social media messages, copy documents, photo and video, spy on phone calls, etc.
- Program.FakeAntiVirus.2.origin
- The detection name for adware programs that imitate anti-virus software. These apps inform users of non-existing threats, mislead them and demand they purchase the full version of the software.
Program.CreditSpy .2- The detection name for programs designed to assign credit ratings to users based on their personal data. These applications upload SMS, contact information from phonebooks, call history and other information to the remote server.
- Program.KeyLogger.2.origin
- An Android app that allows recording keystrokes. This program is not malicious itself, but can be used to spy on users and steal their confidential information.
Tool.Obfuscapk .1- The detection name for applications protected by the Obfuscapk obfuscation tool. This tool is used to automatically modify and scramble Android apps’ source code to make reverse engineering more difficult. Cybercriminals use the tool to protect malicious applications from being detected by anti-virus programs.
Tool.SilentInstaller .14.originTool.SilentInstaller .6.originTool.SilentInstaller .13.originTool.SilentInstaller .8.origin- Riskware platforms that allow applications to launch APK files without installation. They create a virtual runtime environment that does not affect the main operating system.
Program modules incorporated into Android applications and designed to display obnoxious ads on Android devices. Depending on their family and modifications, they can display full screen ads and block other apps’ windows, show various notifications, create shortcuts and load websites.
- Adware.SspSdk.1.origin
Adware.Adpush .36.originAdware.Adpush .6547- Adware.Myteam.2.origin
- Adware.Overlay.1.origin
Threats on Google Play
In December, Doctor Web malware analysts uncovered yet another trojan on Google Play. Dubbed
Banking trojans
The
Once installed, bankers requested access to the Accessibility Service functions in order to gain more privileges. They then hid their icons from the apps list in the main screen menu and executed their main malicious routine. The bankers tried to steal confidential information through the phishing windows they displayed on-top of apps’ windows, intercepted SMS, could block the screen, and performed other malicious actions.
To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web for Android.

Your Android needs protection.
Use Dr.Web
- The first Russian anti-virus for Android
- Over 140 million downloads—just from Google Play
- Available free of charge for users of Dr.Web home products
31.12 A decline in malware activity and other events of December 2020
December 31, 2020
29.12 The next Anti-virus Times issue will be published after the New Year and Christmas holidays
December 29, 2020
The next issue will be published in the new year 2021 — on January 11. We will continue to cover actual events in the field of information security (and beyond), providing accompanying commentary and, of course, recommendations that will help our readers protect their systems even from the most sophisticated Internet threats and cybercriminals.
Happy Holidays and Happy New Year! May you enjoy maximum protection from viruses (both real and computer) — and let's continue broadening our horizons together!
17.12 Components updated in Dr.Web 12.0 for Windows and Dr.Web Enterprise Security Suite 12.0
December 17, 2020
Changes made to Dr.Web Updater:
- An issue preventing proxy servers from being used for updating in some situations has been resolved.
Changes made to Dr.Web Security Space setup, Dr.Web Anti-virus for Windows setup and Dr.Web Anti-virus for Windows servers setup:
- The application setup now checks whether the hashing algorithm SHA-256 is supported by the system;
- An issue that under certain circumstances could prevent the software from being installed from a network drive has been resolved;
- Also resolved was a defect causing the Modify and Remove setup dialogue to use a different language (other than the current application language).
The update will be downloaded and installed automatically.
17.12 Components updated in Dr.Web 11.5 for Windows, Dr.Web Enterprise Security Suite 10.1 and 11.0, and Dr.Web AV-Desk 10.1
December 17, 2020
Changes made to Lua-script main:
- The update addresses an issue preventing a system restart prompt from being displayed after certain modules were updated in Dr.Web Enterprise Security Suite 10.1 and Dr.Web AV-Desk 10.1
Dr.Web 11.5 for Windows, Dr.Web Enterprise Security Suite 10.1 and 11.0 will be updated automatically. A system restart will be required to apply the update for Dr.Web AV-Desk 10.1.
16.12 Doctor Web’s November 2020 virus activity review
December 16, 2020
Our November analysis of Dr.Web’s statistics revealed a 1.75% decrease in the total number of threats compared to the previous month. With that, the number of unique threats increased by 5.26%. Users were mostly exposed to adware and trojan downloaders. Email traffic was dominated by various malware that includes a backdoor written in .NET, the
The number of requests to decrypt files affected by trojan encoders decreased by 3.08% compared to October.
Principal trends in November
- Adware remain among the most active threats
- A rise in unique malware in email traffic
Threat of the month
In November 2020 Doctor Web virus analysts detected a phishing attack targeting corporate users. The attackers used social engineering to trick possible victims into opening malicious attachments. The emails in question contained trojan malware that covertly install and launch Remote Utilities software. The software components were also included in the attachment. In the event of a successful attack, the affected computers would be vulnerable to unauthorized remote control without any visual signs of a running program.
According to Doctor Web’s statistics service
The most common threats in November:
- Adware.Elemental.17
- Adware that spreads through file sharing services as a result of link spoofing. Instead of normal files, victims receive applications that display advertisements and install unwanted software.
- Adware.Softobase.15
- Installation adware that spreads outdated software and changes the browser settings.
- Adware.Downware.19741
- Adware that often serves as an intermediary installer of pirate software.
- Trojan.LoadMoney.4022
- A family of malware installers that deploys additional components on victims’ computers along with the required applications. Some trojan modifications can collect various information about the attacked computer and transmit it to hackers.
- Trojan.InstallCore.3949
- A family of obfuscated installers that uses unscrupulous methods to distribute the bundled software.
Statistics for malware discovered in email traffic
- Tool.KMS.7
- Hacking tools used to activate illegal copies of Microsoft software.
- BackDoor.SpyBotNET.25
- A backdoor written in .NET and designed to operate with a file system (to copy, create, delete catalogs, etc.), terminate processes, take screenshots.
Trojan.SpyBot.699 - A multi-module banking trojan that allows cybercriminals to download and launch various applications on an infected device and run arbitrary code.
- HTML.Fisher.284
- An HTML phishing page that includes a form for filling in credentials to access an email account.
- W97M.DownLoader.2938
- A family of downloader trojans that exploits vulnerabilities in Microsoft Office documents and can download other malicious programs to a compromised computer. It is designed to download other malware onto a compromised computer.
Encryption ransomware
In November, Doctor Web’s virus laboratory registered 3.08% fewer requests to decode files encoded by trojan ransomware than in October.
Trojan.Encoder.26996 — 36.68%Trojan.Encoder.567 — 10.03%- Trojan.Encoder.29750 — 4.49%
Trojan.Encoder.11464 — 1.85%- Trojan.Encoder.30356 — 1.85%
Dr.Web Security Space for Windows protects against encryption ransomware
Dangerous websites
In November 2020, the database of non-recommended and malicious websites was updated with 154,606 webpages.
October 2020 | November 2020 | Dynamics |
---|---|---|
+ 157,076 | + 154,606 | - 1.57% |
Malicious and unwanted programs for mobile devices
In November, Dr.Web’s statistics for Android devices confirmed an almost 5.14% decrease in the total number of threats on protected devices compared with October.
Google Play is still vulnerable to hosting various malicious apps. In the past month Doctor Web virus analysts discovered other trojans within the catalog. They include modifications of
The following November events regarding mobile malware are the most noteworthy:
- A decline in malware activity on protected devices
- Detection of new trojans on Google Play
Find out more about malicious and unwanted programs for mobile devices in our special overview.
Learn more with Dr.Web
16.12 An upturn of malicious activity in email traffic and other events of November 2020
December 16, 2020
16.12 Doctor Web’s November 2020 review of virus activity on mobile devices
December 16, 2020
Dr.Web ant-virus products for Android detected 5.14% fewer threats compared to October. According to detection statistics, the number of malware found on protected devices decreased by 8.37%. The number of unwanted apps, riskware and adware, on the contrary, increased by 5.78%, 13.16% and 5.72% respectively.
The
Our specialists also discovered new modifications of the trojans from the
PRINCIPAL TRENDS IN NOVEMBER
- Threats detected on Android devices decreases
- New malware discovered on Google Play
Threat of the month
In the middle of the November Doctor Web’s malware analysts uncovered the
For example, the
This trojan also functions to silently open web links. To do so, malefactors send
What’s more, the trojan attempts to monetize recent app installations. For that, it tracks which applications the user installs and uninstalls. If the received commands contain links that lead to the Google Play apps’ pages,
If the targeted apps haven’t been installed, the trojan remembers the information related to them and waits for the user to install these apps. Upon their installation, it attempts to trick the analytics service the same way.
Read more about
According to statistics collected by Dr.Web for Android
Android.Click .348.origin- A trojan that automatically loads websites and clicks on links and advertisement banners. It can be spread as a harmless app so users don’t perceive it as threatening.
Android.Triada .510.originAndroid.Triada .541.origin- Multifunctional trojans that perform various malicious actions. This malware belongs to the trojan family that infects other apps’ processes. Some modifications of this family were found in the firmware of Android devices, which attackers implanted during manufacturing. Some of them can also exploit various vulnerabilities to gain access to the protected system files and folders.
Android.RemoteCode .6122- A malicious application that downloads and executes arbitrary code. Depending on its modification, it can load various websites, open web links, click on advertisement banners, subscribe users to premium services and perform other actions.
Android.HiddenAds .518.origin- A trojan designed to display obnoxious ads and distributed as popular applications. In some cases, it can be installed in the system directory by other malware.
Program.FreeAndroidSpy .1.originProgram.Reptilicus .7.origin- Program.Mrecorder.1.origin
- Software that monitors Android user activity and may serve as a tool for cyber espionage. These apps can track device locations, collect information from SMS and social media messages, copy documents, photo and video, spy on phone calls, etc.
- Program.FakeAntiVirus.2.origin
- The detection name for adware programs that imitate anti-virus software. These apps inform users of non-existing threats, mislead them and demand they purchase the full version of the software.
Program.CreditSpy .2- The detection name for programs designed to assign credit ratings to users based on their personal data. These applications upload SMS, contact information from phonebooks, call history and other information to the remote server.
Tool.Obfuscapk .1- The detection name for applications protected by the Obfuscapk obfuscation tool. This tool is used to automatically modify and scramble Android apps’ source code to make reverse engineering more difficult. Cyber criminals use the tool to protect malicious applications from being detected by anti-virus programs.
Tool.SilentInstaller .14.originTool.SilentInstaller .6.originTool.SilentInstaller .13.originTool.SilentInstaller .7.origin- Riskware platforms that allow applications to launch APK files without installation. They create a virtual runtime environment that does not affect the main operating system.
Program modules incorporated into Android applications and designed to display obnoxious ads on Android devices. Depending on their family and modifications, they can display full screen ads and block other apps’ windows, show various notifications, create shortcuts and load websites.
Adware.Adpush .36.origin- Adware.SspSdk.1.origin
Adware.Adpush .6547- Adware.Myteam.2.origin
- Adware.Toofan.1.origin
Threats on Google Play
With
These trojans downloaded and executed an arbitrary code and were able to subscribe users to mobile premium services, intercepting confirmation codes from incoming notifications.
To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web for Android.

Your Android needs protection.
Use Dr.Web
- The first Russian anti-virus for Android
- Over 140 million downloads—just from Google Play
- Available free of charge for users of Dr.Web home products
16.12 Increased threats to Android, trojans on Google Play and other events in Dr.Web’s November 2020 mobile malware activity review
December 16, 2020
15.12 Components updated in Dr.Web 11.1 products for Unix
December 15, 2020
The products now support OpenSSL 1.1.1i.
The update is performed via the Dr.Web repository. If you encounter any problems when updating, please use the instructions from our previous news post to specify the additional repository for the Dr.Web software you’re using.
14.12 Components updated in Dr.Web 12.0 for Windows and Dr.Web Enterprise Security Suite 12.0
December 14, 2020
The module's routines have been optimised.
The update will be downloaded and installed automatically.
11.12 Phishing emails with RAT malware threaten corporate users
December 11, 2020
The samples can be divided into two groups:
- Self-extracting archives that contained the original Remote Utilities executable files and a malicious module loaded via DLL Hijacking. This module prevents the operating system from displaying the program’s windows and other signs of operation. Dr.Web detects it as BackDoor.RMS.180.
- Self-extracting archives that contained the original Remote Utilities installation module and a pre-configured MSI package that silently installs the remote access software and then sends a notification that it’s ready to be remotely connected to the server the attacker specified. Dr.Web detects it as BackDoor.RMS.181.
Attack scenario
Both groups of malware are united by the Remote Utilities software used and the layout of the phishing emails. These emails can be described as relatively well-written and lengthy Russian messages designed to entice recipients to open and read about various topics of interest. Also noteworthy, is that malicious payload is password protected, while the password itself is attached to the same email as the text file. The password is the date when the email was sent.
Here’s an example of an email with a malicious attachment that uses DLL Hijacking.
This email is disguised as an official notification requesting the recipient appear at the Prosecutor's office for investigative actions in a criminal case. It has a fake digital signature, which is just a random string in Base64.
The attached archive contains a protected RAR archive and a text file with a password to it.
An automatic password is set to protect the privacy of this attachment: 02112020
The archive named “Электронная повестка.гаг" contains the dropper as a self-extracting RAR archive, which in turn contains BackDoor.RMS.180.
Below is an example of an email with an attachment that uses the MSI package.
This email, disguised as a notification from a transport company regarding cargo arrival, asks the recipient to specify the shipping address. This email also contains a fake digital signature.
“Документы.гаг” contains dummy documents in addition to an archive with the malicious payload (BackDoor.RMS.181) and a password.
Due to corporate security policy, this attachment is protected with an access code: 12112020
During our research, we also uncovered a sample phishing email containing a link to a dropper that launched the Remote Utilities installation from a configured MSI package (detected by Dr. Web as BackDoor.RMS.187). This email implements a different malicious module with another infection method.
This email is disguised as a message from a job seeker with an attached CV. The "CV_resume.rar” attachment is a link to a compromised website that redirects the user to another resource to download a malicious archive with BackDoor.RMS.187.
Analyzing the network infrastructure attackers used to distribute BackDoor.RMS.187 allowed us to unearth several more compromised websites and a sample of the Trojan.Gidra malware. According to our data, the program Dr.Web detected as Trojan.GidraNET.1 was used to initially penetrate the system through a phishing email with further capabilities to upload a backdoor that silently installs the Remote Utilities software on a compromised computer.
For a detailed description of the malware used and how it works, see the Dr.Web Virus Library.
BackDoor.RMS.180
BackDoor.RMS.181
BackDoor.RMS.187
Trojan.GidraNET.1
Conclusion
The backdoors based on the remote desktop software remain a threat and are still widely used in corporate sector cyberattacks. In turn, phishing emails are the most common way to deliver payloads to targeted computers. Payload archiving using a password is a distinctive feature of malicious attachments. This allows messages to overcome mail servers’ built-in security tools. Another marker is the presence of a text file with a password to the bogus archive. In addition, using a malicious library and DLL Hijacking attack ensures unauthorized remote access software runs silently.
10.12 Meet Dr.Web vxCube 1.5.0!
December 10, 2020
YARA rules
The YARA rules section is the main innovation in Dr.Web vxCube 1.5.0. With the rules, you can specify file analysis criteria, tag particular threat types automatically, and indicate a threat severity level for the files being analysed.
Take advantage of the advanced YARA features and you will be able to utilise all the data that passes through the analyser, including:
- File behaviour information;
- Registry entries in use;
- Types of files that the sample has created (src, dumb, drop, alloc, etc.) and much more.
In addition to the custom rules you add, in a new section, you will also be able to access the rules created by Doctor Web's malware researchers.
Report filters
You can now add tags to analysis report pages. This option is available for each operating system involved in the analysis. The tags are displayed in the journal and can be used to filter reports.
New user profile
The profile now lets you specify default analysis settings. The parameters you can define include:
- File execution duration;
- The operating system versions under which the file will be examined;
- The report archive password;
- Passwords for archives containing files to be analysed.
In addition, users can now see the existing API keys and create a new one as well as change their account password.
Email attachment and archive analysis
The service's API can now be used to analyse EML files and archives. The supported formats include: ZIP, ARJ, XZ, ACE, TAR, BZ2, CAB, GZ, RAR, 7z.
Keep the original filename or change it
In previous Dr.Web vxCube versions, analysed files were renamed automatically in the virtual environment. In the latest version, the file name remains unchanged by default. However, you can rename the file you are uploading.
Upgraded hypervisor
The hypervisor boasts more stable operation and has had its known issues resolved.
Dr.Web vxCube will be updated to version 1.5.0 on December 13 (Sunday) between 8 a.m. and 9 a.m. GMT. The service will be unavailable during this period.
To purchase a license, please contact our sales support service.
With a Dr.Web vxCube trial license, available here, you can examine 10 objects during the course of 10 days.
09.12 Dr.Web Security Space for Android updated to version 12.6.6
December 9, 2020
Change log:
- Defects that prevented the anti-virus from operating normally in the centralized protection mode have been corrected;
- An issue that might cause the application to terminate abnormally has been fixed;
- Routines for detecting certain threat modifications have been upgraded;
- Minor tweaks and upgrades have been introduced.
If you downloaded the Dr.Web application from Google Play, the updates will be downloaded and installed automatically. If you’ve disabled automatic updating on your device, go to Google Play, select the Dr.Web Security Space or Dr.Web Security Space Life icon in the application list, and tap "Update”.
To update via the Doctor Web site, you need to download a new distribution file.
07.12 Components updated in Dr.Web 11.5 products for Windows and Dr.Web Enterprise Security Suite 11.0
December 7, 2020
Changes made to Dr.Web Updater:
- An issue preventing Dr.Web Security Space 11.5 and Dr.Web Anti-virus 11.5 from upgrading to version 12.0 automatically if a trial license was being used has been resolved.
Changes made to Lua-script for updater:
- An issue preventing Dr.Web Security Space 11.5 and Dr.Web Anti-virus 11.5 from upgrading to version 12.0 automatically if a serial number was unavailable has been resolved.
Changes made to Dr.Web Anti-rootkit API:
- A system freezing issue that could occur while a computer was being scanned has been eliminated.
Changes made to the Dr.Web for Outlook Plugin:
- A defect causing messages to be deleted while they were being moved to the quarantine has been eliminated.
Changes made to Dr.Web Enterprise Agent for Windows setup:
- A simplified Dr.Web Enterprise Security Suite installation procedure is now available in systems in which Dr.Web 12.0 software for Windows has already been installed;
- Dr.Web 11.5 can no longer be installed in unsupported systems (Windows ARM64).
A system restart will be required to update Dr.Web 11.5 for Windows software. Dr.Web Enterprise Security Suite 11.0 will be updated automatically.