All the news Subscribe to news
04.03 Study of the Spyder modular backdoor for targeted attacks
March 4, 2021
We already came across the malware Winnti uses when we studied the ShadowPad backdoor samples that we found in the compromised network of a state institution in Kyrgyzstan. In addition, earlier in the same network, we found another specialized backdoor called PlugX, which has many intersections with ShadowPad in the code and network infrastructure. A separate material was devoted to the comparative analysis of both families.
In this study, we analyze the uncovered malicious module, explore its algorithms and features, and define its connection with other well-known tools of the Winnti APT group.
Main features
On the infected device, the malicious module was located in the system directory C:\Windows\System32 as oci.dll. Thus, the module was prepared for launch by the MSDTC (Microsoft Distributed Transaction Coordinator) system service using the DLL Hijacking method. According to our data, the file got to the computers in May 2020, but the method of initial infection remains unknown. The Event Log contained records of the creation of services designed to start and stop MSDTC, as well as for the backdoor execution.
Log Name: System
Source: Service Control Manager
Date: 23.11.2020 5:45:17
Event ID: 7045
Task Category: None
Level: Information
Keywords: Classic
User: <redacted>
Computer: <redacted>
Description:
A service was installed in the system.
Service Name: IIJVXRUMDIKZTTLAMONQ
Service File Name: net start msdtc
Service Type: user mode service
Service Start Type: demand start
Service Account: LocalSystem
Log Name: System
Source: Service Control Manager
Date: 23.11.2020 5:42:20
Event ID: 7045
Task Category: None
Level: Information
Keywords: Classic
User: <redacted>
Computer: <redacted>
Description:
A service was installed in the system.
Service Name: AVNUXWSHUNXUGGAUXBRE
Service File Name: net stop msdtc
Service Type: user mode service
Service Start Type: demand start
Service Account: LocalSystem
We also found traces of other services running that had random names. Their files were located in directories like C:\Windows\Temp\<random1>\<random2>>, where random1 and random2 are strings of random length and random Latin characters. At the time of the study, these services’ executable files were missing.
An interesting find was a service that indicates the use of a smbexec.py utility for remote code execution from the Impacket set. The attackers used this tool to establish remote access to the command shell in a semi-interactive mode.
The studied malicious sample was added to the Dr.Web virus database as BackDoor.Spyder.1. In one of the discovered Spyder samples, the debug logging functions and messages remained. Messages used when communicating with the C&C server contained the string "Spyder".
The backdoor is notable for a number of interesting features. First, oci.dll contains the main PE module, but with missing file signatures. Erasing the header signatures was presumably done to obstruct the backdoor detection in the device's memory. Secondly, the payload itself does not carry malicious functionality, but serves to load and coordinate additional plug-ins received from the С&С server. With these plug-ins, the backdoor performs its main tasks. Therefore, this family has a modular structure, just like the other backdoor families used by Winnti — the previously mentioned ShadowPad and PlugX.
Analysis of Spyder's network infrastructure revealed a link to other Winnti attacks. In particular, the infrastructure used by the Crosswalk and ShadowPad backdoors described in the Positive Technologies study corresponds with some of the Spyder samples. The graph below clearly shows the identified intersections.
For a detailed description of BackDoor.Spyder.1 and how it works, see the PDF-version of the study or the Doctor Web Virus Library.
Conclusion
The analyzed sample of BackDoor.Spyder.1 is notable primarily because its code does not perform direct malicious functions. Its main tasks are to covertly operate within the infected system and establish communication with the control server and then wait for operator commands. At the same time, it has a modular structure that allows the operator to scale its capabilities, providing any functionality depending on the needs of the attackers. The plug-ins make the considered sample similar to ShadowPad and PlugX, which, together with the intersections in their network infrastructures, allows us to conclude that it is used by Winnti.
March 1, 2021
Throughout this spring the opportunity will remain to convert your earned virtual awards into discounts and get a new license for Dr.Web Security Space (PC/Mac), Dr.Web Security Space for Mobile or Dr.Web KATANA — at 20%, 30%, or 50 % off.
We invite all Dr.Web community members who still have some Dr.Weblings to spend to take advantage of this opportunity. Bear in mind that the products on display in our eStore are never sold out! And don't forget: a Dr.Web license can be activated at any moment, no matter how long ago you purchased it.
As an important aside, you can use a standard Dr.Web Security Space license (PC/Mac) to renew your previous license and, by doing so, also have 150 bonus days added to your new license period as soon as you register the license. And, the anti-virus for Android-powered gadgets comes completely free with this license!
However, if for some reason you don't need to renew your license, you can help your loved ones keep their computers safe by gifting them a discount certificate. Let your Dr.Weblings work for those you hold dear.
Important! To exchange your Dr.Webling award points for discounts, you need to sign in under your account on Doctor Web's site. And remember: After May 31, all of your unspent Dr.Weblings will expire.
Thank you for choosing Dr.Web!
25.02 Components updated in Dr.Web 12.0 products for Windows
February, 25 2020
Changes made to Dr.Web Anti-rootkit API:
- A compatibility issue involving Valorant's anti-cheat software Vanguard has been resolved;
- Also addressed was an issue that might cause errors involving Promise FastTRAK RAID controllers.
Dr.Web Firewall for Windows driver:
- A high memory usage issue involving peer-to-peer applications has been addressed;
- A defect that might cause errors if Logitech G Hub software was being used in the system has been resolved.
Changes made to Dr.Web Firewall for Windows and to Dr.Web Net filtering Service:
- Application security has been improved.
The update will be performed automatically; however, a system reboot will be required.
24.02 Doctor Web’s January 2021 review of virus activity on mobile devices
February 24, 2021
In January, Dr.Web anti-virus products for Android detected 11.32% less threats on protected devices compared to December, 2020. The number of observed malware decreased by 11.5% and adware by 15.93%. At the same time, the number of detected unwanted apps and riskware increased by 11.66% and 7.26% respectively. According to gathered statistics, the most common threats for users were adware trojans and malware designed to download other software and execute arbitrary code.
Throughout January, Doctor Web malware analysts uncovered a large number of threats on Google Play. Numerous modifications of the
With that, our specialists have observed new attacks involving banking trojans. One of them was found in a fake banking app available on Google Play while others were spread through malicious websites created by cybercriminals.
PRINCIPAL TRENDS IN JANUARY
- A decreased number of threats detected on Android devices
- The discovery of a large number of malware and unwanted apps on Google Play
Threat of the month
At the beginning of January, Doctor Web malware analysts found a number of apps with built-in
Examples of software that were found to contain these adware modules are shown below:
Examples of websites they load:
Web pages of various referral programs that redirect users to the apps hosted on Google Play are often loaded by
Doctor Web malware analysts found that at least 21 apps had these adware modules built into them. The conducted research indicated that owners of these apps and the developers of
The list of the apps containing the
| Name of the packet | Presence of the Adware.NewDich module | The app was removed from Google Play |
|---|---|---|
| com.qrcodescanner.barcodescanner | Was present in last relevant 1.75 version | Yes |
| com.speak.better.correctspelling | Present in relevant 679.0 version | No |
| com.correct.spelling.learn.english | Present in relevant 50.0 version | No |
| com.bluetooth.autoconnect.anybtdevices | Present in relevant 2.5 version | No |
| com.bluetooth.share.app | Present in relevant 1.8 version | No |
| org.strong.booster.cleaner.fixer | Absent in relevant 5.9 version | No |
| com.smartwatch.bluetooth.sync.notifications | Absent in relevant 85.0 version | No |
| com.blogspot.bidatop.nigeriacurrentaffairs2018 | Present in relevant 3.2 version | No |
| com.theantivirus.cleanerandbooster | Absent in relevant 9.3 version | Нет |
| com.clean.booster.optimizer | Absent in relevant 9.1 version | No |
| flashlight.free.light.bright.torch | Absent in relevant 66.0 version | No |
| com.meow.animal.translator | Absent in relevant 1.9 version | No |
| com.gogamegone.superfileexplorer | Absent in relevant 2.0 version | No |
| com.super.battery.full.alarm | Absent in relevant 2.2 version | No |
| com.apps.best.notepad.writing | Absent in relevant 7.7 version | No |
| ksmart.watch.connecting | Absent in relevant 32.0 version | No |
| com.average.heart.rate | Absent in relevant 7.0 version | No |
| com.apps.best.alam.clocks | Absent in relevant 4.7 version | No |
| com.booster.game.accelerator.top | Absent in relevant 2.1 version | No |
| org.booster.accelerator.optimizer.colorful | Absent in relevant 61.0 version | No |
| com.color.game.booster | Absent in relevant 2.1 version | No |
Features of
- It is built into full-featured software to hide from users and not arouse any suspicion.
- The activity develops with a delay (up to several days) after the hosting applications are installed and launched.
- Promoted websites loading is performed when the apps containing these modules are closed and users are not interacting with or using them for some time.
- The malicious actors constantly monitor if anti-virus software detects the modules and promptly make changes to them to release new versions to counter the detection.
According to statistics collected by Dr.Web for Android
Android.RemoteCode .284.origin- A malicious application that downloads and executes arbitrary code. Depending on its modification, it can load various websites, open web links, click on advertising banners, subscribe users to premium services and perform other actions.
Android.HiddenAds .1994Android.HiddenAds .518.origin- Trojans designed to display obnoxious ads and distributed as popular applications. In some cases, they can be installed in the system directory by other malware.
Android.Triada .510.origin- A multifunctional trojan performing various malicious actions. This malware belongs to the trojan family that infects other apps’ processes. Some modifications of this family were found in the firmware of Android devices, which attackers implanted during manufacturing. Some of them can also exploit various vulnerabilities to gain access to the protected system files and folders.
Android.Click .348.origin- A malicious application that loads websites, clicks on banner ads, and follows links. It can be distributed as harmless programs without arousing suspicion among users.
Program.FreeAndroidSpy .1.originProgram.NeoSpy .1.originProgram.Mrecorder .1.originProgram.Reptilicus .7.origin- Software that monitors Android user activity and may serve as a tool for cyber espionage. These apps can track device locations, collect information from SMS and social media messages, copy documents, photo and video, spy on phone calls, etc.
- Program.FakeAntiVirus.2.origin
- The detection name for adware programs that imitate anti-virus software. These apps inform users of non-existing threats, mislead them and demand they purchase the full version of the software.
Program.CreditSpy .2- The detection name for programs designed to assign credit ratings to users based on their personal data. These applications upload SMS, contact information from phonebooks, call history and other information to the remote server.
Tool.SilentInstaller .6.originTool.SilentInstaller .7.originTool.SilentInstaller .13.originTool.SilentInstaller .14.origin- Riskware platforms that allow applications to launch APK files without installation. They create a virtual runtime environment that does not affect the main operating system.
Tool.Obfuscapk .1- The detection name for applications protected by the Obfuscapk obfuscation tool. This tool is used to automatically modify and scramble Android apps’ source code to make reverse engineering more difficult. Cybercriminals use the tool to protect malicious applications from being detected by anti-virus programs.
Program modules incorporated into Android applications and designed to display obnoxious ads on Android devices. Depending on their family and modifications, they can display full screen ads and block other apps’ windows, show various notifications, create shortcuts and load websites.
Adware.Adpush .36.originAdware.Adpush .6547Adware.Adpush .16896- Adware.Myteam.2.origin
Adware.Overlay .1.origin
Threats on Google Play
In addition to apps with built-in
Similar to other trojans of this type, which were discovered earlier, current modifications loaded fraudulent websites where potential victims were informed about the supposed payouts from the government. To “receive” the money, users were asked to provide their personal information, as well as to pay for the lawyers’ time, document preparation, and tax or fees for transferring the money to the bank account. In fact, victims didn’t receive any funds, but cybercriminals did steal their confidential information and money.
In addition, some modifications of these malicious apps periodically displayed notifications where users were also informed about available “payouts” and “compensations”. In this way, malicious actors tried to attract additional attention from potential victims so they would visit the fraudulent websites more often.
Examples of websites various modifications of the
The examples of fraudulent notifications with the information about “payouts” and “compensations” displayed by these malicious apps:
Moreover, other multifunctional trojans from the
A new banking trojan dubbed
Upon installation and launch, the trojan requested access to the Accessibility Service function of the Android OS—allegedly to continue working with the app. In fact, it needed the requested functionality to automatically perform malicious actions. If a victim agreed to provide the necessary system privileges, the banker received control over the infected device and could click on various menu elements, buttons, read the contents of other apps’ windows, etc.
Banking trojans
Alongside banking trojans found on Google Play, Android device owners were targeted by bankers that spread through the malicious websites. For example, Doctor Web specialists observed other attacks on Japanese users where trojans from various banking malware families were involved. The
To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web for Android.
Your Android needs protection.
Use Dr.Web
- The first Russian anti-virus for Android
- Over 140 million downloads—just from Google Play
- Available free of charge for users of Dr.Web home products
February 24, 2021
Changes affecting both products:
- Adjustments have been made to ensure that the applications work properly on devices running Android 11;
- An issue that could cause the applications to terminate abnormally while files were being downloaded has been resolved;
- The maximum allowed file size for the files that users can submit for examination in the anti-virus laboratory has increased;
- Other minor adjustments and tweaks have also been made.
Changes affecting Dr.Web Security Space for Android:
- An Anti-theft issue involving status updates for buddies requests has been resolved;
- Adjustments have been made to ensure that the application works properly in centralised protection mode;
- Also eliminated was an issue causing the Anti-theft to lock some device models whenever a system clean-up was initiated;
- A defect causing the Anti-theft to lock devices on the system settings screen has been eliminated;
- The update also changes the way the Anti-theft uses location data.
If you downloaded the Dr.Web application from Google Play, the updates will be downloaded and installed automatically. If you’ve disabled automatic updating on your device, go to Google Play, select Dr.Web Security Space, Dr.Web Security Space Life or Dr.Web Anti-virus Light on the application list, and click "Update”.
To update via the Doctor Web site, you need to download a new distribution file. If you’ve enabled the “New app version” option in the settings, a notification will be displayed whenever the virus databases are updated. You can start the download directly from this dialogue box. Important! Under Android 11, updating cannot be initiated from a dialogue box. To apply the update, you will need to download the latest application version manually.
24.02 Doctor Web’s January 2021 virus activity review
February 24, 2021
Our January analysis of Dr.Web’s statistics revealed a 4.92% increase in the total number of threats compared to the previous month. The number of unique threats also increased by 13.11%. Adware and malware browser extensions still occupy the top spot for detected threats. Various modifications of the AgentTesla stealers, a backdoor written in VB.NET and malicious programs exploiting vulnerabilities in Microsoft Office utilities were the most frequently detected malicious software in email traffic.
In January, the number of user requests to decrypt files affected by encoders increased by 29.27% compared with December.
Principal trends in January
- Growth in malware spreading activity
- Adware remain among the most active threats
- An increase in the number of requests to decrypt files affected by encoders
According to Doctor Web’s statistics service
The most common threats in January:
- Adware.Elemental.17
- Adware that spreads through file sharing services as a result of link spoofing. Instead of normal files, victims receive applications that display advertisements and install unwanted software.
- Trojan.BPlug.3867
- A malicious browser extension designed to perform web injections into viewed webpages and block third-party advertisements.
- Adware.SweetLabs.4
- An alternative app store and add-on for Windows GUI from the creators of Adware.Opencandy.
- Adware.Softobase.15
- Installation adware that spreads outdated software and changes the browser settings.
- Adware.Downware.19629
- Adware that often serves as an intermediary installer of pirate software.
Statistics for malware discovered in email traffic
Trojan.Siggen11.57608 - A modification of the stealer malware, known as AgentTesla. It can be used as a keylogger and is designed to steal confidential data.
- Trojan.Packed2.42809
- One of the many modifications of the AgentTesla stealer, obfuscated by a packer tool.
- W97M.DownLoader.2938
- A family of downloader trojans that exploits vulnerabilities in Microsoft Office documents and can download other malicious programs onto a compromised computer.
- BackDoor.SpyBotNET.25
- A backdoor written in VB.NET and designed to operate with a file system (to copy, create, delete catalogs, etc.), terminate processes, and take screenshots.
Trojan.SpyBot.699 - A multi-module banking trojan that allows cybercriminals to download and launch various applications on an infected device and run arbitrary code.
Encryption ransomware
In January, Doctor Web’s virus laboratory registered 29.27% more requests to decode files encoded by trojan ransomware than in December.
Trojan.Encoder.26996 — 24.11%Trojan.Encoder.567 — 13.10%- Trojan.Encoder.29750 — 7.44%
- Trojan.Encoder.11549 — 2.08%
- Trojan.Encoder.30356 — 1.49%
Dr.Web Security Space for Windows protects against encryption ransomware
Dangerous websites
During January 2021, Doctor Web Internet analysts uncovered many fraudulent and phishing websites used by the cybercriminals to steal users’ money and personal data. The victims were most often propositioned to receive some nonexistent payment from the state or a remittance from a private individual. In all cases, a commission was required to receive the payments.
This is a snapshot of the fraudulent webpage. It invites a victim to receive a fake payment and claims that the amount has been transferred to an “internal” account. The trick is that the user has to pay a fee first in order to complete the transfer.
Also in January, analysts discovered several fake banking websites. The fraudsters registered the websites in the “.рф” domain and used the same template to create the same type of webpages that differ only in the fictitious names of the banks. These bogus resources were used to steal funds from the accounts of gullible users.
This is a snapshot of nonexistent bank’s website. A user can browse the clickable sections and read the contents.
In January, Doctor Web specialists also detected numerous fake online payment services that were used in conjunction with fraudulent marketplaces and allowed cybercrooks to steal not only money, but also users ' bank card data.
Malicious and unwanted programs for mobile devices
The total number of January threats on Android devices decreased by 11.32% compared to the previous month. With that, the malicious applications that can download other software and execute arbitrary code, as well as trojans that showed ads were among the most common mobile threats.
During the month, Doctor Web’s virus analysts identified many malicious apps of the
These modules loaded various websites in the browser, which could include both harmless and malicious resources, as well as webpages with ads.
The banking trojans were also active. One of them was discovered in Google Play and the others were distributed via malicious websites.
The following January events related to mobile malware are the most noteworthy:
- A decline in malware activity on protected devices
- The emergence of many new malicious and unwanted programs in the Google Play catalog.
Find out more about malicious and unwanted programs for mobile devices in our special overview.
Learn more with Dr.Web
24.02 An increase in malware activity and other events of January 2021
February 24, 2021
February 24, 2020
Throughout January, Doctor Web’s specialists uncovered new trojans and unwanted software spread on Google Play. Multifunctional trojans subscribing users to premium services, trojans designed to load scam websites, and apps with built-in adware modules were among them. Moreover, various banking trojans also attacked Android devices. Read more about these and other events in our January review.
22.02 Total security week: Get Dr.Web at up to 40% off!
February 22, 2021
This is a golden opportunity to ensure that all the desktops, laptops and mobile devices in your family can operate safely. Or, if you are in the habit of using multiple devices, you can cash in on this offer too. But it doesn't end there! Because Dr.Web is also a great gift!
The standard one-year license price for 3 PCs is EUR 53.90, but only during this week, you can get all of Dr.Web’s state-of-the-art security features at up to 40% off.
In addition to the 3 personal computers, 3 Android-powered devices will also enjoy reliable protection from all kinds of Internet threats, and 2 of the 3 PCs and all the gadgets will be protected free of charge. And if you choose to take advantage of this favourable moment to renew a Dr.Web license you already have (provided that its duration is three months or longer), you will also get an extra 150 days of protection completely for free.
Please note that you can only purchase Dr.Web Security Space on these favourable terms on the special promo page on Doctor Web's site. Don't miss this special offer:
19.02 Join forces with Doctor Web to beta test new version of Dr.Web for business
February 19, 2021
That being said, Doctor Web still strives to make its solutions as user-friendly as possible. With that in mind, public beta testing is now underway. Join the ranks of beta testers and grab this unique opportunity to interact directly with Dr.Web developers. See for yourself how the anti-virus is made and make a sizable contribution towards the creation of this flagship anti-virus solution for business.
As customers eagerly await the upcoming release of Dr.Web Enterprise Security Suite 13.0, Doctor Web welcomes inquisitive beta testers and is already preparing gifts for the biggest contributors.
Let's take a quick look at how Dr.Web Enterprise Security Suite 13.0 improves on its predecessors.
In response to customer requests, version 13 incorporates features that allow for even better integration with process control systems, including critical infrastructures:
- The ability to allocate precisely the CPU and memory usage for the anti-virus scanner;
- The option to lower the priority for tasks related to collecting additional information on protected hosts;
- The ability to lower the bandwidth for connections between a proxy server and the centralised administration server.
All these features are particularly important for systems involved in various technological processes for which it is critical that a fast response time be maintained and CPU usage and the anti-virus’s memory footprint be kept to a minimum.
Easy to use. Dr.Web Enterprise Security Suite is packed with cutting-edge technologies, and all these state-of-the art features are actually easy to control—thanks to the Control Center. Your vast network may connect computers in multiple branch offices (as is the case with Russia’s country-wide election infrastructure, which Dr.Web has been protecting for years). Version 13 also incorporates innovations that will benefit system administrators. Thanks to the new layout in the Control Center's anti-virus network view, managing a large number of objects has gotten easier.
Available across multiple platforms. Compatibility with various versions of Windows and Linux, as well as with macOS, is another major advantage of Dr.Web. A protected infrastructure may connect all sorts of computers running different operating systems. And, whereas previously Dr.Web was only easy and quick to deploy under Windows, version 13 boasts easy deployment options for Linux as well. Installing and managing the anti-virus software on protected hosts is now much easier. Dr.Web Agent can be installed on Linux machines via the Control Center or using a special utility.
Flexible settings. With the Dr.Web Control Center, protected hosts can be organised in groups matching the actual structure of your company. And then the anti-virus software can be fine-tuned for each of these groups. The system administrator can also take advantage of Office Control and determine which sites and network resources should be available to the employees in each specific group. In version 13, Office Control lets you manage settings for each user group and control which removable media are accessible on user computers. You can also take advantage of an extended list of unwanted site categories to prevent employees from visiting certain sites.
All in all, the new Dr.Web Enterprise Security Suite version is packed with new features, tweaks, and upgrades. You can find more information about version 13 here: And all these innovations are highly anticipated by users and make this solution even more appealing to prospective customers. With this in mind, Doctor Web is committed to ensuring that before the official release date, all the features work exactly as expected, the user experience is completely trouble-free, and any shortcomings are discovered and corrected. Therefore, we invite all users to test this innovative solution, and we look forward to hearing what you like and don't like about the new version and what you think Doctor Web can do to make it even better. And, as is customary, the most active contributors are in for a reward. This time around the five most active beta testers will receive Dr.Web-branded hoodies!
To beta test Dr.Web Enterprise Security Suite 13.0, follow this link:https://beta.drweb.com/?lng=en. Please note that registration is required to access the beta section of our website.
.
17.02 Components updated in Dr.Web 12.0 products for Windows
17 February 2021
Changes made to Lua-script for updater:
- On Windows Vista, Windows 7, and Windows Server 2008/2008R2 computers, Dr.Web software components, except the virus databases, can no longer be updated (even via an update mirror) if OS system updates ensuring SHA-256 support have not been installed on them.
Changes made to Dr.Web Security Space setup, Anti-virus for Windows setup and Anti-virus for Windows servers setup:
- Dr.Web Security Space 12.0 and Dr.Web Anti-virus 12.0 can no longer be installed under Windows Vista and Windows 7, and Dr.Web Anti-virus 12.0 for Windows Servers cannot be installed under Windows Server 2008/2008R2 if an operating system update providing SHA-256 support has not been installed;
- An issue that might prevent the applications from being installed from a network drive has been fixed;
- Also resolved was a defect causing the Modify and Remove setup dialogue to use a different language (other than the current application language).
The user guides for Dr.Web Security Space 12.0 and Dr.Web Anti-virus 12.0, as well as the administrator manual for Dr.Web Anti-virus 12.0 for Windows Servers, have also been updated.
The update will be downloaded and installed automatically. The changes, which resolve the network drive installation issue and make it impossible to install the software in systems lacking SHA-256 support, will take affect after the respective software distributions are updated.
Important: to ensure that the Dr.Web software operates correctly under Windows Vista, Windows 7, Windows Server 2008 or Windows Server 2008 R2, Microsoft security updates providing SHA-256 support must be installed in the systems. For additional information, please refer to this guide.
17.02 Dr.Web CureIt! updated
February 17, 2021
The utility now uses the latest versions of Dr.Web Scanning Engine (12.6.2.202011180) and Dr.Web Anti-rootkit API (12.5.18.202101211).
12.02 Components updated in Dr.Web 11.1 products for Unix-like systems
February 16, 2021
Changes affecting Dr.Web Anti-virus 11.1 for Unix Mail Servers, Dr.Web Anti-virus 11.1 for Linux, Dr.Web Anti-virus 11.1 for Unix Server and Dr.Web Anti-virus 11.1 for Internet gateways Unix
drweb-cloudd and drweb-update:
- The modules' manual has been updated.
drweb-configd:
- An issue affecting the formation of drweb-linuxfirewall rules when external data sources were used has been resolved
- Component integrity validation routines have been optimised.
- The modules drweb-gated and drweb-maild can now be used more efficiently while the virus databases are being updated;
- The software now runs more efficiently in ES-mode in systems using the ARM64 architecture;
- Routines determining the certificate store location have been optimised;
- An issue causing the "" value for time and size parameters to be interpreted as zero has been resolved;
- Command line help information is now more concise;
- Also resolved was a defect causing incorrect drweb-httpd status information to appear under certain circumstances;
- An issue that might cause drweb-configd to terminate abnormally has been addressed.
drweb-ctl:
- Now the drweb-ctl rawscan command can be used in centralised protection mode;
- The MaxSizeToExtract option is available for scanning commands;
- The drweb-ctl output now includes additional information;
- A command enabling users to check drweb-lookupd parameters has been added;
- The software now checks whether a password has been specified whenever a server connection is being established or a new group member is being added;
- Also addressed was an issue that might prevent users from logging in under Linux Solus after Dr.Web for Linux had been installed.
drweb-engine:
- The anti-virus engine version has been updated.
drweb-filecheck:
- The MaxSizeToExtract option is available for scanning commands.
drweb-meshd:
- The UDP broadcast method can now be used to look for a MeshD server;
- The IPv6 protocol is now supported.
drweb-netcheck:
- Now only basic information is logged at the INFO level.
Changes affecting Dr.Web 11.1 for Unix Mail Servers, Dr.Web 11.1 for Unix Server, and Dr.Web Anti-virus 11.1 for Internet gateways Unix
drweb-clamd:
- The module’s manual has been updated.
drweb-httpd and drweb-httpd-bin:
- The web-console now works properly while the virus databases are being updated.
Changes affecting Dr.Web 11.1 for Unix Mail Servers, Dr.Web 11.1 for Linux, and Dr.Web Anti-virus 11.1 for Internet gateways Unix
drweb-gated:
- An issue that might prevent malicious code from being detected in a message body has been resolved;
- Routines facilitating communication with drweb-maild have been optimised;
- The component can now interact with drweb-urlcheck.
Changes affecting Dr.Web 11.1 for Unix Mail Servers and Dr.Web Anti-virus 11.1 for Linux
drweb-maild:
- SPF (Server Policy Framework) verification is now available;
- Support has been added for a new cryptographic signature method (RFC 8463) for DomainKeys Identified Mail;
- Recompression routines have been optimised for emails containing threats;
- The application logs now provide more detailed information;
- Now lua api can be used to facilitate SPF (Server Policy Framework) verification.
Changes made to Dr.Web Anti-virus for Linux and Dr.Web for UNIX Server
drweb-spider:
- The module’s manual has been updated.
drweb-spider-kmod:
- Adjustments have been made to make the software compatible with Astra Linux SE.
Changes affecting Dr.Web 11.1 for Unix Mail Servers and Dr.Web Anti-virus 11.1 for Internet gateways Unix
drweb-lookupd:
- The module’s manual has been updated.
Changes affecting Dr.Web Anti-virus 11.1 for Linux
drweb-session:
- An issue preventing Linux SpIDer from detecting threats on PCs running Astra Linux SE if the user was logged into the system using the lowest security clearance.
Changes affecting Dr.Web 11.1 for Internet gateways Unix:
drweb-icapd:
- The module’s manual has been updated.
Changes affecting Dr.Web Anti-virus 11.1 for Unix Server
drweb-smbspider-daemon:
- The module’s manual has been updated.
The update is performed via the Dr.Web repository. If you encounter any problems when updating, please use the instructions from our previous news post to specify the additional repository for the Dr.Web software you’re using.
11.02 Dr.Web Mobile Control Center for Android updated to version 13.0.0
February 11, 2021
Changes made to the Mobile Control Center:
- Android 11 is now supported;
- Support for Dr.Web AV-Desk 13.0 has been added;
- Dr.Web AV-Desk documentation in PDF format can now be viewed on the server;
- The server drop-down list now also displays information about the connection protocols being used (HTTP or HTTPS) and the current user login;
- A Network window display issue has been resolved;
- Corrections have been made to the Mobile Control Center's message texts.
Go to Google Play to download the Dr.Web Mobile Control Center for Android for free and to learn about its features.
09.02 Dr.Web Enterprise Security Suite 12.0 updated
February 9, 2021
Improvements:
- The Dr.Web server now supports OpenSSL 1.1.1.
Issues resolved:
- A defect preventing the Dr.Web Agent for Linux from being updated to the latest version;
- An Oracle Database XE 11 initialisation error occurring after the Dr.Web server was installed;
- A database file import issue occurring when ithe file was imported via the Control Center (Administration → Database Management);
- A custom profile export error involving the Control Center (the Anti-virus Network section);
- An error involving multiple host entries being moved between groups with the mouse cursor in the Control Center's anti-virus network view;
- A defect preventing information about blocked devices and application control events from being added to log clean-up jobs in the Dr.Web server task scheduler;
- An issue preventing the Dr.Web proxy server from operating normally if different protocol versions were being used by the proxy-server and the Dr.Web server;
- A defect preventing administrators from signing in to the Control Center if the Dr.Web server was installed under Ubuntu 20.04;
- A defect causing the Dr.Web server service to freeze if IBM Tivoli's user-defined routines were being carried out;
- An issue that under certain circumstances could prevent old Dr.Web server database records from being removed;
- A defect causing an error message to appear in the Control Center (Administration → Dr.Web Server configuration) when changes were being saved;
- Additional minor tweaks and upgrades have also been introduced.
The updated distributions can be downloaded from Doctor Web's site and from the GUS servers.
More information on Dr.Web Enterprise Security Suite version 12.0, including system requirements and installation details, can be found in the release notes.
09.02 Track the status of your requests with Doctor Web's technical support bot
February 9, 2021
To configure tracking, do the following:
- Find the DrWebSupportBot account in Telegram or follow this link.
- In the bot's main menu, select "Connect to Dr.Web account". In this step, the bot will request an authorisation code that will link your Doctor Web account with your Telegram account.
- Then go to https://www.drweb.com/user/profile/authenticator/ to get an authorisation code.
- Copy the code and send it as a message to the bot.
Done—now you will receive notifications on all ticket status changes in the form of a bot notification. This option is available only for those tickets that were created after the authorisation code was entered.
You can unlink your account from the bot on your own by tapping "Disconnect from Dr.Web account" in the bot's menu.
February 3, 2021
Changes made to the Dr.Web Control Service:
- Malware detection information now appears in the Windows Event log.
Changes made to Lua-script main:
- The applications' security has been improved.
- Updating Thunderstorm Cloud Client SDK no longer requires a system restart.
Changes made to Lua-script for traffic-hook:
- A packet-filtering issue preventing new default settings from taking affect after the firewall component had been added to the existing installation has been resolved.
Changes made to Lua-script for spider-agent:
- Additional logging options are now available for certain event types.
Changes made to Dr.Web Enterprise Agent for Windows setup:
- A simplified installation procedure is now available in systems in which Dr.Web 12.0 software for Windows has already been installed.
The update will be downloaded and installed automatically.
28.01 Dr.Web Security Space for Android updated to version 12.6.7
January 28, 2021
The update resolves an issue preventing the URL-filter's list of unwanted site categories from being displayed properly.
If you downloaded the Dr. Web application from Google Play, the updates will be downloaded and installed automatically. If you’ve disabled automatic updating on your device, go to Google Play, select the Dr.Web Security Space or Dr.Web Security Space Life icon in the application list, and tap "Update”.
To update via the Doctor Web site, you need to download a new distribution file. If you’ve enabled the “New app version” option in the settings, a new version notification will be displayed whenever the virus databases are updated. You can start the download directly from this dialogue box.
January 25, 2021
Specifically, it resolves UEFI scanning issues that might cause the scanning service to terminate abnormally.
The update will be downloaded and installed automatically.
January 25, 2021
Changes made to Dr.Web for Outlook Plugin:
- A defect causing email attachments to be deleted if an error occurred while they were being moved to the quarantine has been eliminated.
Changes made to Dr.Web Updater:
- Now the GET method is used to update Dr.Web over a proxy server (HTTP) instead of CONNECT. This will help in situations when the CONNECT method is not allowed on a server.
The update will be performed automatically; however, a system reboot will be required.
20.01 Dr.Web CureIt! updated
January 20, 2021
Now Dr.Web CureIt! features the most up-to-date version of Dr.Web Anti-rootkit API (12.5.17.202012070).
January 20, 2021
Now the registration wizard displays up-to-date information about Dr.Web Security Space trial licenses.
The update will be downloaded and installed automatically.
19.01 Doctor Web’s overview of virus activity on mobile devices in 2020
January 19, 2020
In 2020, trojans allowing cybercriminals to generate illegal profit were among the most widespread Android malware. Malicious apps capable of downloading and executing arbitrary code, as well as trojans designed to download and install software without users’ knowledge and consent were among them. In addition, malware creators actively used various adware trojans and clicker trojans that loaded websites and clicked on web links.
Backdoors allowing attackers to remotely control infected devices and trojans turning Android gadgets into proxy servers for cybercriminals to redirect traffic also posed a serious threat.
Cyber espionage continues to remain relevant. In the last 12 months, Android device owners were targeted by numerous applications allowing the attackers to spy on them and control their actions. Many of these apps are not malicious alone, but do pose a potential threat since they can be used with or without users’ permission.
There were also new threats on Google Play which is the official app store and the source for other digital content for the Android OS. Google Play is considered to be the most reliable place to download software and games, but attackers are still able to spread malware and unwanted apps there. Numerous adware trojans, bogus apps, and malware that subscribed users to premium services and were capable of executing arbitrary code, were among the threats Doctor Web’s specialists uncovered on the platform. Moreover, banking trojans and applications with built-in unwanted adware modules were also spread through Google Play.
In 2020, malicious actors actively exploited the COVID-19 pandemic to spread malware. Amid worldwide troubles, banking trojans, ransomware, spyware trojans, fraudulent software and other threats were seen targeting Android users.
PRINCIPAL TRENDS IN 2020
- New threats on Google Play
- Various packers and utilities used to protect malware and unwanted apps
- New trojans utilizing different techniques to conceal malicious functionality
- Adware trojans and malicious downloaders prevail among threats detected on Android devices
Most notable events
In March, Doctor Web’s malware analysts uncovered the trojan dubbed
Throughout the year our malware analysts discovered other trojans from the same family as
In May, Doctor Web’s specialists traced the spread of the new modification of the
Already in December, Doctor Web reported on the
Over the past 12 months, Doctor Web’s specialists found numerous threats on the Google Play app store. Adware trojans from the
Using the pandemic to their benefit, cybercriminals actively spread various Android malware as legitimate and useful software.
In March, for example, users were attacked by the
In May, the
Another COVID-19-related spyware trojan, dubbed
Upon launching, however, the trojan only loaded the original website in its window and proceeded to spy on the victim. It sent various confidential information to cybercriminals, including SMS, location data, phone call logs and contacts. It could also record the surrounding environment using the device’s microphone, take pictures and record videos using the camera.
Many banking trojans were among the malware spread amid the pandemic.
Furthermore, some banking trojans were spreading under the guise of apps that could allegedly help users receive financial support from the government. Amid the pandemic and difficult financial situation related to it many countries did, in fact, allocate the money to support their citizens – and cybercriminals took advantage of this. For example, the
These bankers attempted to steal users’ logins and passwords to access their mobile banking accounts. To do so, the bankers displayed phishing windows on-top of legitimate banking software UI. Moreover, they were able to steal banking card information, intercept and send SMS, execute USSD commands, block the screen of the infected device and perform other malicious actions upon attackers’ commands.
During the pandemic, the topics of welfare allowances, payouts and compensation was also regularly exploited. In particular, scammers were actively spreading various modifications of the
This type of malware loaded fraudulent websites where users were asked to provide their personal information, allegedly to verify whether any payout or compensation was available. After that, websites imitated the database search and users were asked to provide their banking card information to pay a commission for the money “transfer” or to pay a fee for the documents “registration”. But in reality, victims didn’t receive any payout or compensations. They were just giving away their own money and providing cybercriminals with their confidential information.
Statistics
According to statistics collected by Dr.Web for Android anti-virus products, malicious applications were most often detected on Android devices. They accounted for 80.72% of the total number of identified threats. Adware with a 15.38% detection share was the second most common threat. Riskware ranked third as it was detected in 3.46% of cases. Potentially unwanted applications accounted for a mere 0,44% of all detections.
Trojans capable of downloading and executing arbitrary code, as well as downloading and installing other software, were among the most common malicious programs. They accounted for over 50% of the malware detected on Android devices. With that, various modifications of the
Adware trojans were among the most active threats as well. They accounted for almost a quarter of all malicious apps identified on protected devices. Numerous modifications of the
Android.RemoteCode .246.originAndroid.RemoteCode .6122Android.RemoteCode .256.origin- Malicious applications that download and execute arbitrary code. Depending on their modification, they can load various websites, open web links, click on advertisement banners, subscribe users to premium services and perform other actions.
Android.HiddenAds .530.originAndroid.HiddenAds .1994- Trojans designed to display obnoxious ads and distributed as popular applications. In some cases, they can be installed in the system directory by other malware.
Android.Triada .491.originAndroid.Triada .510.origin- Multifunctional trojans that perform various malicious actions. This malware belongs to the trojan family that infects other apps’ processes. Some modifications of this family were found in the firmware of Android devices that attackers implanted during manufacturing. Some of them can also exploit various vulnerabilities to gain access to protected system files and folders.
Android.Click .311.originAndroid.Click .334.originAndroid.Click .348.origin- Trojans that automatically load websites and click on links and banners. They can be spread as harmless apps so users don’t perceive them as threatening.
Applications that alerted Android users to nonexistent or fake threats and prompted them to buy the full version of software to “cure” their devices were some of the most common unwanted apps. Various spyware apps were also detected quite often.
Program.FakeAntiVirus .2.origin- The detection name for adware programs that imitate anti-virus software. These apps inform users of nonexistent threats, mislead them and demand they purchase full version software.
Program.FreeAndroidSpy .1.origin- Program.Mrecorder.1.origin
Program.SpyPhone .4.originProgram.MobileTool .2.originProgram.Reptilicus .7.originProgram.MonitorMinor .1.origin- Software that monitors Android user activity and may serve as a tool for cyber espionage. These apps can track device locations, collect information from SMS and social media messages, copy documents, photo and video, spy on phone calls, etc.
- Program.RiskMarket.1.origin
- An app store that contains trojan software and recommends users install it.
- Program.WapSniff.1.origin
- An Android program designed to intercept messages from WhatsApp.
Programs capable of downloading and running other apps without installing them were among the most common riskware. Dr.Web for Android anti-virus products also detected a large number of apps protected by special packers and obfuscators on Android devices. Cybercriminals often use these tools to protect malware and unwanted software from anti-viruses.
Tool.Obfuscapk .1- The detection name for applications protected by the Obfuscapk obfuscation tool. This tool is used to automatically modify and scramble Android apps’ source code to make reverse engineering more difficult. Cybercriminals use the tool to protect malicious applications from being detected by anti-virus programs.
Tool.SilentInstaller .6.originTool.SilentInstaller .14.originTool.SilentInstaller .11.originTool.SilentInstaller .13.originTool.SilentInstaller .7.originTool.SilentInstaller .10.originTool.VirtualApk .1.origin- Riskware platforms that allow applications to launch APK files without installation. They create a virtual runtime environment that does not affect the main operating system.
Tool.Rooter .3- A utility designed to obtain root privileges on Android devices. Ordinary users, cybercriminals and malware may all use it.
Tool.Packer .1.origin- A packer tool designed to protect Android applications from unauthorised modification and reverse engineering. This tool is not malicious itself, but it can be used to protect both harmless and malicious software.
The most widespread adware were advertising modules displaying ads in the notification panel of Android devices. They also displayed obnoxious banners atop other apps’ windows and the operating system UI.
Adware.AdPush .36.originAdware.AdPush .6547- Adware.MyTeam.2.origin
- Adware.Mobby.5.origin
- Adware.Toofan.1.origin
Adware.SspSdk .1.origin- Adware.Jiubang.2
- Adware.Gexin.2.origin
- Adware.Dowgin.5.origin
- Adware.Zeus.1
- Program modules incorporated into Android applications and designed to display obnoxious ads on Android devices. Depending on their family and modifications, they can display full screen ads and block other apps’ windows, show various notifications, create shortcuts and load websites.
Banking trojans
In 2020, the intensity of attacks using banking trojans remained approximately the same throughout the first three quarters. A noticeable increase in their activity was observed only in spring, which coincided with the beginning of the pandemic.
With the onset of autumn and the second wave of the coronavirus outbreak, the number of banking trojan detections significantly rose and remained at high levels until the end of the year. With that, the peak of their activity fell on September. The reason for this was that in August, the Cerberus banking trojan source code was leaked to the public, making it possible for other malware creators to build their own bankers based on the code. Dr.Web anti-virus products detect various samples of Cerberus as modifications of the
Banking malware found its way onto the Android devices using various means, including downloads from malicious websites. Apart from the bogus coronavirus-related sites mentioned earlier, cybercriminals created many other fake online resources. For instance,
Cybercriminals that attacked Japanese users were creating fictitious post office and delivery services websites from which various Android banking trojans were downloaded onto victims’ devices.
The Google Play app catalogue was another common spreading route. In June, for example, Doctor Web’s virus analysts discovered several banking trojans there. One them was
In June, the
Prospects and trends
Cybercriminals are continuously searching for innovative ways to protect their malware. In 2021, we can expect the emergence of more multifunctional threats and trojans protected with various packers designed to interfere with anti-virus software detection capabilities.
Malware creators will continue using malicious software to generate illicit profits. In turn, users will likely face new adware trojans, software downloaders and clickers created and used for various criminal profiteering schemes.
Cyber espionage and targeted attacks will also remain a threat. Finally, it is highly likely that malware designed to infect Android devices by exploiting system or network vulnerabilities will emerge. To protect your Android device from malware, unwanted programs and other threats, we recommend installing Dr.Web for Android. It is also necessary to install all the available system updates and latest versions of the software you use.
Your Android needs protection.
Use Dr.Web
- The first Russian anti-virus for Android
- Over 140 million downloads—just from Google Play
- Available free of charge for users of Dr.Web home products
19.01 Doctor Web’s annual virus activity review for 2020
January 19, 2021
In 2020, one of the most common threats users faced en masse were trojan droppers, which distribute and install other malware and numerous advertising applications that interfere with the normal functioning of devices. Various modifications of trojan downloaders running executable files with a set of malicious functions were also a common threat. In addition, hacker groups were actively distributing trojan programs that exploit the functionality of popular remote desktop software. The Doctor Web virus laboratory registered several RAT malware attacks, which allows attackers to remotely control infected computers and deliver a malicious payload.
Also this year, Doctor Web analysts investigated several large-scale, targeted attacks aimed at the corporate sector. During the investigation, several trojan families that infected the computers of various state institutions were discovered.
The most active threats among mail traffic included banking trojans, stealers, various modifications of backdoors written in VB.NET, as well as malicious scripts that redirected users to dangerous and unwanted websites. The attackers also used email to actively distribute programs that exploit vulnerabilities in Microsoft Office documents.
Even though most of the detected malware targeted Windows users, computer owners operating macOS were also at risk. During the year, macOS users were continually threatened by trojan encoders, spyware and rootkits that hid running processes. Disguised as various common and even useful applications, adware installers were also actively distributed. They functioned to place potentially dangerous payload onto computers. Users who disabled the built-in security systems and downloaded applications from untrusted sources were most at risk.
Android mobile device users were also threatened by adware, spyware and banking trojans, as well as all sorts of malicious droppers that downloaded other malicious applications and executed arbitrary code. Much of the malware was distributed via the Google Play catalog.
Principal trends of the year
- A growing number of targeted attacks, including those involving ransomware
- An increase in the number of phishing attacks and campaigns using social engineering
- New threats to macOS
- Rapid distribution of Android malware throughout Google Play
Most notable events of 2020
In February, Doctor Web virus analysts reported that the VSDC video editor’s download link had been compromised on the popular software platform CNET. Instead of the genuine program, visitors received a modified installer bundled with malicious software, allowing cybercriminals to access the infected computers remotely. The remote access was accomplished using the TeamViewer components and the BackDoor.TeamViewer malicious library, which established an unauthorized connection. Using the backdoor, attackers were able to deliver payload as other malicious applications to infected devices.
In March, Doctor Web virus analysts reported that certain websites, from blogs to corporate pages created using WordPress CMS, had been compromised. The JavaScript script embedded in the hacked pages’ code redirected visitors to a phishing site where they were prompted to install an important security update for Chrome. The downloadable file was a malware installer that allowed attackers to remotely access and control the infected computers. This time, attackers again used legitimate TeamViewer components with a trojan library that established a connection and concealed the running program.
In the summer 2020, the Doctor Web virus laboratory released a large-scale study of malware used in APT attacks on government institutions in Kazakhstan and Kyrgyzstan. During the investigation, analysts discovered a previously unknown family of multi-module trojan programs called XPath, designed to gain entry into computers and then perform various malicious actions at the command of intruders. The trojan used a complex infection mechanism in which each program component corresponds to a specific stage of malware operation. The XPath family also has a rootkit for hiding network activity and any trace of its presence within a compromised system.
The Doctor Web virus laboratory later received new samples of malware found on the infected computers in the local network of a Kyrgyzstan state institution. The most interesting finding was a multi-module backdoor called ShadowPad, which according to our data, may be an evolution of another multi-module APT backdoor — PlugX, also previously found lurking in compromised state networks. Code similarities between the ShadowPad and PlugX malware samples, as well as some intersections in their network infrastructure, were covered in a separate study.
In September, Doctor Web reported the detection of a spear phishing campaign using social engineering, aimed at several Russian fuel and energy companies. For the initial infection, attackers used emails with malicious attachments. Upon being opened, backdoors were installed that allowed cybercriminals to take control of infected computers. Analysis of documents, malware, and the infrastructure used allowed us to conclude one of the Chinese APT groups carried out the attack.
In November, Doctor Web virus analysts detected a phishing attack targeting corporate users. The emails in question contained trojan malware that covertly install and launch Remote Utilities software. The software components were also included in the attachment. The attackers used social engineering to trick possible victims into opening the malicious attachments.
This email was disguised as an official notification requesting the recipient appear at the Prosecutor's office for investigative actions in a criminal case.
Malware landscape
Analysis of Dr.Web’s statistics showed that in 2020, users were most often exposed to trojan droppers and downloaders that installed other malicious applications and executed arbitrary code. Additionally, trojans and scripts that covertly mine cryptocurrency on devices continued to threaten users.
- Trojan.BPlug.3867
- A malicious browser extension designed to perform web injections into viewed webpages and block third-party advertisements.
- Trojan.Starter.7394
- A trojan whose main purpose is to launch an executable file with a specific set of malicious functions within an infected system.
- Trojan.MulDrop9.2530
- A trojan dropper that distributes and installs malware.
- Win32.HLLW.Rendoc.3
- A network worm that, among other channels, spreads via removable storage media.
- VBS.BtcMine.13
- A malicious script written in VBS and designed to covertly mine cryptocurrencies.
- JS.IFrame.634
- A script incorporated into HTML pages. Upon opening these pages, the script redirects users to malicious or unwanted websites.
- Trojan.Encoder.11432
- A multi-component network worm known as WannaCry. The malicious program itself has several components; the trojan encoder is only one of them.
- Trojan.InstallCore.3553
- A family of obfuscated installers that uses unscrupulous methods to distribute the bundled software.
- Win32.Virut.5
- A polymorphic virus that infects executable files. It functions for managing infected computers using IRC channel.
- Trojan.BtcMine.3165
- A trojan program that silently mines cryptocurrency using the computing power of the infected devices.
Email traffic was dominated by bankers, backdoors and malware that exploit vulnerabilities in Microsoft Office programs. In addition, cybercriminals distributed scripts for concealed mining, as well as for phishing and redirecting users to unwanted and potentially dangerous sites.
Trojan.SpyBot.699 - A multi-module banking trojan that allows cybercriminals to download and launch various applications on an infected device and run arbitrary code.
Exploit.CVE-2012-0158 - A modified Microsoft Office document that exploits the CVE-2012-0158 vulnerability in order to run malicious code.
- W97M.DownLoader.2938
- A family of downloader trojans that exploits vulnerabilities in Microsoft Office documents and can download other malicious programs onto a compromised computer.
- JS.Redirector.407
- Malicious JavaScript script placed in the code of web pages. It is designed to redirect users to phishing or advertising sites.
Exploit.ShellCode.69 - A malicious Microsoft Office Word document that exploits the CVE-2017-11882 vulnerability.
- JS.Phishing.70
- Malicious JavaScript script that generates a phishing web page.
- VBS.BtcMine.13
- A malicious script written in VBS and designed to covertly mine cryptocurrencies.
- JS.BtcMine.86
- A malicious script written in JavaScript and designed to covertly mine cryptocurrencies.
- BackDoor.SpyBotNET.25
- A backdoor written in .NET and designed to operate with a file system (to copy, create, delete, etc. catalogs), terminate processes, and take screenshots.
- JS.Miner.11
- A family of JavaScript scripts designed to covertly mine cryptocurrencies.
Encryption ransomware
In 2020, Doctor Web’s virus laboratory registered 18.4% fewer requests to decode files encoded by trojan ransomware than in 2019. See the request dynamics for 2020 below.
The most common ransomware programs in 2020:
- Trojan.Encoder.26996
- A trojan encoder known as STOP Ransomware. It attempts to obtain a private key from the server, and in cases of failure, uses the hardcoded one. It is one of the few encoders that encrypts user data with the Salsa20 stream cipher.
- Trojan.Encoder.567
- A trojan encoder written in Delphi. This encoder has many versions that use various encryption algorithms. Generally it is distributed as email attachments.
- Trojan.Encoder.29750
- This trojan encoder belongs to the Limbo/Lazarus family. It carries the hardcoded key, which is used when it is not possible to connect to the C&C server and upload the private portion of the generated key.
- Trojan.Encoder.858
- A trojan encoder known as Troldesh Ransomware. It is compiled using Tor, which is initialized immediately upon launch. The connection is made to one of the bridges, the address of which is hardcoded into the trojan. It uses the AES algorithm in CBC mode to encrypt user data.
- Trojan.Encoder.11464
- A trojan encoder known as Scarab Ransomware. It was first discovered in June 2017. It was initially distributed via the Necurs botnet. It uses the AES-256 and RSA-2048 algorithms to encrypt user data.
Dangerous and non-recommended websites
SpIDer Gate's Parental (Office) Control and Web Antivirus databases are regularly updated with new addresses of non-recommended and potentially dangerous websites. Many fraudulent and phishing resources, as well as malware distributing pages can be found there. The largest number of such websites was recorded in the third quarter, dropping to the lowest in the second quarter. See the dynamics of the updates to the databases over the last year below.
Network fraud
In February, Doctor Web experts warned users about the launch of a large-scale phishing campaign on Instagram. The campaign was based on messages to users about a one-off payment to all Russian citizens. Fraudsters provided information as extracts from news releases, using relevant fragments from real broadcasts. With that, the advertising video has additional frames showing someone using a phishing website and browsing its pages, which were presented as official resources from the Russian Ministry of Economic Development.
During 2020, Doctor Web’s Internet analysts identified numerous fraudulent websites presented as official resources of state organizations. Cybercriminals most commonly offered non-existent compensation to targets or proposed that they invest in large companies.
To get the promised benefits, visitors were most often coaxed into entering their personal data including banking card details and proceed with the advance payment. Thus, victims lost money and unknowingly transferred their personal data to scammers.
Mobile devices
In 2020, Android devices users were threatened by various malicious and unwanted applications. For example, users often encountered all modifications of adware trojans displaying obnoxious notifications and banners. Many malicious programs of the
In addition, in March, virus analysts discovered a multifunctional trojan on Google Play —
Various trojan downloaders were also a common threat. They included a large number of malicious apps from the
Potentially dangerous utilities that allow apps to run without installation were also widespread. They included the
To spread malicious and unwanted applications, cybercriminals actively exploited the COVID-19 pandemic. For example, they created various fraudulent websites where victims were tricked into installing reference or medical apps related to the coronavirus, as well as applications for obtaining welfare assistance. In fact, spyware, various bankers, ransomware, and other malware were downloaded from such websites to the Android devices.
During the year, Doctor Web’s virus analysts identified many malicious applications of the
Also in 2020, the virus laboratory uncovered numerous Android applications that enable owner tracking. These apps could be used for cyber espionage and collecting a wide range of personal information — from correspondence, photos and documents, to personal contact lists, device location, contact information, phone conversations, etc.
Prospects and possible trends
The past year has demonstrated the steady spread of not only mass malware, but also APT threats faced by organizations worldwide.
Digital ransomware is expected to continue spreading in 2021, with targeted attacks using encryption ransomware increasingly targeting private companies and the corporate sector. The expansion of the RaaS model (Ransomware as a Service) has facilitated this development. Possible reductions in information security costs may also lead to the number of such incidents rising rapidly.
Banking and adware trojans, miners and encoders, as well as spyware will continue to threaten users in 2021. Besides that, new fraudulent schemes and phishing campaigns are likely to emerge with the help of attackers who will try to obtain money and personal data.
Owners of devices running macOS, Android, Linux, and other OS will remain targets and malware will continue to spread to these platforms. Attacks on IoT devices are also expected to become more frequent and sophisticated. So, it’s safe to say that cybercriminals will continue using any means necessary to continue developing these attacks. That being said, users need to comply with information security rules and apply reliable anti-virus tools on all devices.
Find out more with Dr.Web
19.01 Doctor Web’s 2020 mobile malware activity overview
January 19, 2020
