January 20, 2021

Russian anti-virus company Doctor Web has updated its curing utility Dr.Web CureIt!.

Now Dr.Web CureIt! features the most up-to-date version of Dr.Web Anti-rootkit API (12.5.17.202012070).

Download Dr.Web CureIt!

January 20, 2021

Russian anti-virus company Doctor Web has updated SpIDer Agent for Windows (11.5.8.01150) in Dr.Web Security Space 11.5, Dr.Web Anti-virus 11.5, Dr.Web 11.5 for Windows Servers, and Dr.Web Enterprise Security Suite 11.0.

Now the registration wizard displays up-to-date information about Dr.Web Security Space trial licenses.

The update will be downloaded and installed automatically.

January 19, 2020

In 2020, trojans allowing cybercriminals to generate illegal profit were among the most widespread Android malware. Malicious apps capable of downloading and executing arbitrary code, as well as trojans designed to download and install software without users’ knowledge and consent were among them. In addition, malware creators actively used various adware trojans and clicker trojans that loaded websites and clicked on web links.

Backdoors allowing attackers to remotely control infected devices and trojans turning Android gadgets into proxy servers for cybercriminals to redirect traffic also posed a serious threat.

Cyber espionage continues to remain relevant. In the last 12 months, Android device owners were targeted by numerous applications allowing the attackers to spy on them and control their actions. Many of these apps are not malicious alone, but do pose a potential threat since they can be used with or without users’ permission.

There were also new threats on Google Play which is the official app store and the source for other digital content for the Android OS. Google Play is considered to be the most reliable place to download software and games, but attackers are still able to spread malware and unwanted apps there. Numerous adware trojans, bogus apps, and malware that subscribed users to premium services and were capable of executing arbitrary code, were among the threats Doctor Web’s specialists uncovered on the platform. Moreover, banking trojans and applications with built-in unwanted adware modules were also spread through Google Play.

In 2020, malicious actors actively exploited the COVID-19 pandemic to spread malware. Amid worldwide troubles, banking trojans, ransomware, spyware trojans, fraudulent software and other threats were seen targeting Android users.

Most notable events

In March, Doctor Web’s malware analysts uncovered the trojan dubbed Android.Circle.1. It was spread through Google Play as image collection apps, astrology programs, games, utilities and other useful software for Android devices. Once installed, it received and executed commands from cybercriminals using BeanShell scripts. For instance, Android.Circle.1 could display ads and load websites while imitating user actions by automatically clicking on links and banners.

Throughout the year our malware analysts discovered other trojans from the same family as Android.Circle.1.

In May, Doctor Web’s specialists traced the spread of the new modification of the Android.FakeApp.176 scam trojan, which has been known for several years now. To attract users, malicious actors passed it off as well-known games and apps. Cybercriminals promoted yet another incarnation of this trojan as a mobile version of the Valorant game and advertised it on YouTube.

Android.FakeApp.176’s only function is to load affiliate services websites where users are prompted to complete specific tasks such as installing apps and games or completing surveys. For each successfully completed task the affiliate service member receives a reward. In case of the new modification of the Android.FakeApp.176, the scam was based on false claims that upon finishing a few tasks, the user would supposedly gain access to the game, which didn’t actually exist. As a result, victims didn’t receive the reward and only helped malware writers generate profit.

Already in December, Doctor Web reported on the Android.Mixi.44.origin trojan found in the Eye Care application. It covertly opened web links and loaded websites, which then displayed on-top of other app’s windows. In addition, this malware monitored which apps users installed and attempted to credit every installation to the cybercriminals so they received rewards from advertising and affiliate services.

Over the past 12 months, Doctor Web’s specialists found numerous threats on the Google Play app store. Adware trojans from the Android.HiddenAds family displaying obnoxious banners on-top of other apps’ windows, Android.Joker multifunctional trojans subscribing users to premium services and executing arbitrary code, as well as other malicious and unwanted applications were among them.

Using the pandemic to their benefit, cybercriminals actively spread various Android malware as legitimate and useful software.

In March, for example, users were attacked by the Android.Locker.7145 ransomware trojan. Its creators spread it as an app that allegedly allowed users to track coronavirus infection statistics. Instead, it encrypted files stored on Android devices and demanded users pay a ransom of $250 US dollars.

In May, the Android.Spy.660.origin spyware trojan was spotted, targeting primarily Uzbek users. Unlike Android.Locker.7145, it was built into the app that actually provided the information on the number of infected people. With this function, however, Android.Spy.660.origin was also collecting users’ SMS, call history, and contacts list and sending them to the remote server.

Another COVID-19-related spyware trojan, dubbed Android.Spy.772.origin, attacked French users. It was distributed through a fraudulent website that mimicked a French online information platform related to the coronavirus. Android.Spy.772.origin was downloaded from the fake website and disguised as an app designed to check symptoms and identify possible infection.

Upon launching, however, the trojan only loaded the original website in its window and proceeded to spy on the victim. It sent various confidential information to cybercriminals, including SMS, location data, phone call logs and contacts. It could also record the surrounding environment using the device’s microphone, take pictures and record videos using the camera.

Many banking trojans were among the malware spread amid the pandemic. Android.BankBot.2550, which is yet another modification of the infamous Anubis trojan, was one of them. Our specialists recorded cases when malware writers used social networks, such as Twitter, to distribute it. Cybercriminals lured potential victims to their websites and prompted them to install an app that promised to provide updates and information on the coronavirus. In reality, users downloaded a malware program designed to syphon their money and personal information.

Android.BankBot.2550 displayed phishing windows to steal logins, passwords and banking card information. It also intercepted SMS, could take screenshots, automatically turn off the Google Play Protect built into the Android OS, operate as a keylogger and perform other malicious actions.p>

Furthermore, some banking trojans were spreading under the guise of apps that could allegedly help users receive financial support from the government. Amid the pandemic and difficult financial situation related to it many countries did, in fact, allocate the money to support their citizens – and cybercriminals took advantage of this. For example, the Android.BankBot.684.origin and Android.BankBot.687.origin banking trojans targeting users from Turkey were spread as software that was supposedly designed to help users receive financial support. These trojans also found their way onto users’ Android devices through the malicious websites.

These bankers attempted to steal users’ logins and passwords to access their mobile banking accounts. To do so, the bankers displayed phishing windows on-top of legitimate banking software UI. Moreover, they were able to steal banking card information, intercept and send SMS, execute USSD commands, block the screen of the infected device and perform other malicious actions upon attackers’ commands.

During the pandemic, the topics of welfare allowances, payouts and compensation was also regularly exploited. In particular, scammers were actively spreading various modifications of the Android.FakeApp family malware. Throughout 2020, Doctor Web’s specialists uncovered many of these trojans on Google Play. Cybercriminals spread them as reference software and handbooks with information about welfare payouts and tax refunds. Many of these trojans were targeting users from Russia where the government was also financially supporting its citizens. When victims tried to find information about available payouts, they ended up installing trojans.

This type of malware loaded fraudulent websites where users were asked to provide their personal information, allegedly to verify whether any payout or compensation was available. After that, websites imitated the database search and users were asked to provide their banking card information to pay a commission for the money “transfer” or to pay a fee for the documents “registration”. But in reality, victims didn’t receive any payout or compensations. They were just giving away their own money and providing cybercriminals with their confidential information.

Statistics

According to statistics collected by Dr.Web for Android anti-virus products, malicious applications were most often detected on Android devices. They accounted for 80.72% of the total number of identified threats. Adware with a 15.38% detection share was the second most common threat. Riskware ranked third as it was detected in 3.46% of cases. Potentially unwanted applications accounted for a mere 0,44% of all detections.

Trojans capable of downloading and executing arbitrary code, as well as downloading and installing other software, were among the most common malicious programs. They accounted for over 50% of the malware detected on Android devices. With that, various modifications of the Android.RemoteCode, Android.Triada, Android.DownLoader, and Android.Xiny trojan families prevailed.

Adware trojans were among the most active threats as well. They accounted for almost a quarter of all malicious apps identified on protected devices. Numerous modifications of the Android.HiddenAds and Android.MobiDash trojans were among them.

Android.RemoteCode.246.origin

Android.RemoteCode.6122

Android.RemoteCode.256.origin

Malicious applications that download and execute arbitrary code. Depending on their modification, they can load various websites, open web links, click on advertisement banners, subscribe users to premium services and perform other actions.

Android.HiddenAds.530.origin

Android.HiddenAds.1994

Trojans designed to display obnoxious ads and distributed as popular applications. In some cases, they can be installed in the system directory by other malware.

Android.Triada.491.origin

Android.Triada.510.origin

Multifunctional trojans that perform various malicious actions. This malware belongs to the trojan family that infects other apps’ processes. Some modifications of this family were found in the firmware of Android devices that attackers implanted during manufacturing. Some of them can also exploit various vulnerabilities to gain access to protected system files and folders.

Android.Click.311.origin

Android.Click.334.origin

Android.Click.348.origin

Trojans that automatically load websites and click on links and banners. They can be spread as harmless apps so users don’t perceive them as threatening.

Applications that alerted Android users to nonexistent or fake threats and prompted them to buy the full version of software to “cure” their devices were some of the most common unwanted apps. Various spyware apps were also detected quite often.

Program.FakeAntiVirus.2.origin

The detection name for adware programs that imitate anti-virus software. These apps inform users of nonexistent threats, mislead them and demand they purchase full version software.

Program.FreeAndroidSpy.1.origin

Program.Mrecorder.1.origin

Program.SpyPhone.4.origin

Program.MobileTool.2.origin

Program.Reptilicus.7.origin

Program.MonitorMinor.1.origin

Software that monitors Android user activity and may serve as a tool for cyber espionage. These apps can track device locations, collect information from SMS and social media messages, copy documents, photo and video, spy on phone calls, etc.

Program.RiskMarket.1.origin

An app store that contains trojan software and recommends users install it.

Program.WapSniff.1.origin

An Android program designed to intercept messages from WhatsApp.

Programs capable of downloading and running other apps without installing them were among the most common riskware. Dr.Web for Android anti-virus products also detected a large number of apps protected by special packers and obfuscators on Android devices. Cybercriminals often use these tools to protect malware and unwanted software from anti-viruses.

Tool.Obfuscapk.1

The detection name for applications protected by the Obfuscapk obfuscation tool. This tool is used to automatically modify and scramble Android apps’ source code to make reverse engineering more difficult. Cybercriminals use the tool to protect malicious applications from being detected by anti-virus programs.

Tool.SilentInstaller.6.origin

Tool.SilentInstaller.14.origin

Tool.SilentInstaller.11.origin

Tool.SilentInstaller.13.origin

Tool.SilentInstaller.7.origin

Tool.SilentInstaller.10.origin

Tool.VirtualApk.1.origin

Riskware platforms that allow applications to launch APK files without installation. They create a virtual runtime environment that does not affect the main operating system.

Tool.Rooter.3

A utility designed to obtain root privileges on Android devices. Ordinary users, cybercriminals and malware may all use it.

Tool.Packer.1.origin

A packer tool designed to protect Android applications from unauthorised modification and reverse engineering. This tool is not malicious itself, but it can be used to protect both harmless and malicious software.

The most widespread adware were advertising modules displaying ads in the notification panel of Android devices. They also displayed obnoxious banners atop other apps’ windows and the operating system UI.

Adware.AdPush.36.origin

Adware.AdPush.6547

Adware.MyTeam.2.origin

Adware.Mobby.5.origin

Adware.Toofan.1.origin

Adware.SspSdk.1.origin

Adware.Jiubang.2

Adware.Gexin.2.origin

Adware.Dowgin.5.origin

Adware.Zeus.1

Program modules incorporated into Android applications and designed to display obnoxious ads on Android devices. Depending on their family and modifications, they can display full screen ads and block other apps’ windows, show various notifications, create shortcuts and load websites.

Banking trojans

In 2020, the intensity of attacks using banking trojans remained approximately the same throughout the first three quarters. A noticeable increase in their activity was observed only in spring, which coincided with the beginning of the pandemic.

With the onset of autumn and the second wave of the coronavirus outbreak, the number of banking trojan detections significantly rose and remained at high levels until the end of the year. With that, the peak of their activity fell on September. The reason for this was that in August, the Cerberus banking trojan source code was leaked to the public, making it possible for other malware creators to build their own bankers based on the code. Dr.Web anti-virus products detect various samples of Cerberus as modifications of the Android.BankBot family.

Banking malware found its way onto the Android devices using various means, including downloads from malicious websites. Apart from the bogus coronavirus-related sites mentioned earlier, cybercriminals created many other fake online resources. For instance, Android.Banker.388.origin, which was spread among Vietnamese users in May, was downloaded from the fake Ministry of Public Security website.

Cybercriminals that attacked Japanese users were creating fictitious post office and delivery services websites from which various Android banking trojans were downloaded onto victims’ devices.

The Google Play app catalogue was another common spreading route. In June, for example, Doctor Web’s virus analysts discovered several banking trojans there. One them was Android.BankBot.3260, which was disguised as a note-taking app. Another one was Android.BankBot.733.origin which was spread as a tool to install software and system updates, as well as to protect against cyber threats.

In June, the Android.Banker.3259 trojan was found. It hid in the application allegedly designed to manage phone calls and SMS.

Prospects and trends

Cybercriminals are continuously searching for innovative ways to protect their malware. In 2021, we can expect the emergence of more multifunctional threats and trojans protected with various packers designed to interfere with anti-virus software detection capabilities.

Malware creators will continue using malicious software to generate illicit profits. In turn, users will likely face new adware trojans, software downloaders and clickers created and used for various criminal profiteering schemes.

Cyber espionage and targeted attacks will also remain a threat. Finally, it is highly likely that malware designed to infect Android devices by exploiting system or network vulnerabilities will emerge. To protect your Android device from malware, unwanted programs and other threats, we recommend installing Dr.Web for Android. It is also necessary to install all the available system updates and latest versions of the software you use.

Your Android needs protection.

Use Dr.Web

• The first Russian anti-virus for Android
• Over 140 million downloads—just from Google Play
• Available free of charge for users of Dr.Web home products

Free download

January 19, 2021

In 2020, one of the most common threats users faced en masse were trojan droppers, which distribute and install other malware and numerous advertising applications that interfere with the normal functioning of devices. Various modifications of trojan downloaders running executable files with a set of malicious functions were also a common threat. In addition, hacker groups were actively distributing trojan programs that exploit the functionality of popular remote desktop software. The Doctor Web virus laboratory registered several RAT malware attacks, which allows attackers to remotely control infected computers and deliver a malicious payload.

Also this year, Doctor Web analysts investigated several large-scale, targeted attacks aimed at the corporate sector. During the investigation, several trojan families that infected the computers of various state institutions were discovered.

The most active threats among mail traffic included banking trojans, stealers, various modifications of backdoors written in VB.NET, as well as malicious scripts that redirected users to dangerous and unwanted websites. The attackers also used email to actively distribute programs that exploit vulnerabilities in Microsoft Office documents.

Even though most of the detected malware targeted Windows users, computer owners operating macOS were also at risk. During the year, macOS users were continually threatened by trojan encoders, spyware and rootkits that hid running processes. Disguised as various common and even useful applications, adware installers were also actively distributed. They functioned to place potentially dangerous payload onto computers. Users who disabled the built-in security systems and downloaded applications from untrusted sources were most at risk.

Android mobile device users were also threatened by adware, spyware and banking trojans, as well as all sorts of malicious droppers that downloaded other malicious applications and executed arbitrary code. Much of the malware was distributed via the Google Play catalog.

Most notable events of 2020

In February, Doctor Web virus analysts reported that the VSDC video editor’s download link had been compromised on the popular software platform CNET. Instead of the genuine program, visitors received a modified installer bundled with malicious software, allowing cybercriminals to access the infected computers remotely. The remote access was accomplished using the TeamViewer components and the BackDoor.TeamViewer malicious library, which established an unauthorized connection. Using the backdoor, attackers were able to deliver payload as other malicious applications to infected devices.

In March, Doctor Web virus analysts reported that certain websites, from blogs to corporate pages created using WordPress CMS, had been compromised. The JavaScript script embedded in the hacked pages’ code redirected visitors to a phishing site where they were prompted to install an important security update for Chrome. The downloadable file was a malware installer that allowed attackers to remotely access and control the infected computers. This time, attackers again used legitimate TeamViewer components with a trojan library that established a connection and concealed the running program.

In the summer 2020, the Doctor Web virus laboratory released a large-scale study of malware used in APT attacks on government institutions in Kazakhstan and Kyrgyzstan. During the investigation, analysts discovered a previously unknown family of multi-module trojan programs called XPath, designed to gain entry into computers and then perform various malicious actions at the command of intruders. The trojan used a complex infection mechanism in which each program component corresponds to a specific stage of malware operation. The XPath family also has a rootkit for hiding network activity and any trace of its presence within a compromised system.

The Doctor Web virus laboratory later received new samples of malware found on the infected computers in the local network of a Kyrgyzstan state institution. The most interesting finding was a multi-module backdoor called ShadowPad, which according to our data, may be an evolution of another multi-module APT backdoor — PlugX, also previously found lurking in compromised state networks. Code similarities between the ShadowPad and PlugX malware samples, as well as some intersections in their network infrastructure, were covered in a separate study.

In September, Doctor Web reported the detection of a spear phishing campaign using social engineering, aimed at several Russian fuel and energy companies. For the initial infection, attackers used emails with malicious attachments. Upon being opened, backdoors were installed that allowed cybercriminals to take control of infected computers. Analysis of documents, malware, and the infrastructure used allowed us to conclude one of the Chinese APT groups carried out the attack.

In November, Doctor Web virus analysts detected a phishing attack targeting corporate users. The emails in question contained trojan malware that covertly install and launch Remote Utilities software. The software components were also included in the attachment. The attackers used social engineering to trick possible victims into opening the malicious attachments.

This email was disguised as an official notification requesting the recipient appear at the Prosecutor's office for investigative actions in a criminal case.

Malware landscape

Analysis of Dr.Web’s statistics showed that in 2020, users were most often exposed to trojan droppers and downloaders that installed other malicious applications and executed arbitrary code. Additionally, trojans and scripts that covertly mine cryptocurrency on devices continued to threaten users.

Trojan.BPlug.3867

A malicious browser extension designed to perform web injections into viewed webpages and block third-party advertisements.

Trojan.Starter.7394

A trojan whose main purpose is to launch an executable file with a specific set of malicious functions within an infected system.

Trojan.MulDrop9.2530

A trojan dropper that distributes and installs malware.

Win32.HLLW.Rendoc.3

A network worm that, among other channels, spreads via removable storage media.

VBS.BtcMine.13

A malicious script written in VBS and designed to covertly mine cryptocurrencies.

JS.IFrame.634

A script incorporated into HTML pages. Upon opening these pages, the script redirects users to malicious or unwanted websites.

Trojan.Encoder.11432

A multi-component network worm known as WannaCry. The malicious program itself has several components; the trojan encoder is only one of them.

Trojan.InstallCore.3553

A family of obfuscated installers that uses unscrupulous methods to distribute the bundled software.

Win32.Virut.5

A polymorphic virus that infects executable files. It functions for managing infected computers using IRC channel.

Trojan.BtcMine.3165

A trojan program that silently mines cryptocurrency using the computing power of the infected devices.

Email traffic was dominated by bankers, backdoors and malware that exploit vulnerabilities in Microsoft Office programs. In addition, cybercriminals distributed scripts for concealed mining, as well as for phishing and redirecting users to unwanted and potentially dangerous sites.

Trojan.SpyBot.699

A multi-module banking trojan that allows cybercriminals to download and launch various applications on an infected device and run arbitrary code.

Exploit.CVE-2012-0158

A modified Microsoft Office document that exploits the CVE-2012-0158 vulnerability in order to run malicious code.

W97M.DownLoader.2938

A family of downloader trojans that exploits vulnerabilities in Microsoft Office documents and can download other malicious programs onto a compromised computer.

JS.Redirector.407

Malicious JavaScript script placed in the code of web pages. It is designed to redirect users to phishing or advertising sites.

Exploit.ShellCode.69

A malicious Microsoft Office Word document that exploits the CVE-2017-11882 vulnerability.

JS.Phishing.70

Malicious JavaScript script that generates a phishing web page.

VBS.BtcMine.13

A malicious script written in VBS and designed to covertly mine cryptocurrencies.

JS.BtcMine.86

A malicious script written in JavaScript and designed to covertly mine cryptocurrencies.

BackDoor.SpyBotNET.25

A backdoor written in .NET and designed to operate with a file system (to copy, create, delete, etc. catalogs), terminate processes, and take screenshots.

JS.Miner.11

A family of JavaScript scripts designed to covertly mine cryptocurrencies.

Encryption ransomware

In 2020, Doctor Web’s virus laboratory registered 18.4% fewer requests to decode files encoded by trojan ransomware than in 2019. See the request dynamics for 2020 below.

The most common ransomware programs in 2020:

Trojan.Encoder.26996

A trojan encoder known as STOP Ransomware. It attempts to obtain a private key from the server, and in cases of failure, uses the hardcoded one. It is one of the few encoders that encrypts user data with the Salsa20 stream cipher.

Trojan.Encoder.567

A trojan encoder written in Delphi. This encoder has many versions that use various encryption algorithms. Generally it is distributed as email attachments.

Trojan.Encoder.29750

This trojan encoder belongs to the Limbo/Lazarus family. It carries the hardcoded key, which is used when it is not possible to connect to the C&C server and upload the private portion of the generated key.

Trojan.Encoder.858

A trojan encoder known as Troldesh Ransomware. It is compiled using Tor, which is initialized immediately upon launch. The connection is made to one of the bridges, the address of which is hardcoded into the trojan. It uses the AES algorithm in CBC mode to encrypt user data.

Trojan.Encoder.11464

A trojan encoder known as Scarab Ransomware. It was first discovered in June 2017. It was initially distributed via the Necurs botnet. It uses the AES-256 and RSA-2048 algorithms to encrypt user data.

Dangerous and non-recommended websites

SpIDer Gate's Parental (Office) Control and Web Antivirus databases are regularly updated with new addresses of non-recommended and potentially dangerous websites. Many fraudulent and phishing resources, as well as malware distributing pages can be found there. The largest number of such websites was recorded in the third quarter, dropping to the lowest in the second quarter. See the dynamics of the updates to the databases over the last year below.

Network fraud

In February, Doctor Web experts warned users about the launch of a large-scale phishing campaign on Instagram. The campaign was based on messages to users about a one-off payment to all Russian citizens. Fraudsters provided information as extracts from news releases, using relevant fragments from real broadcasts. With that, the advertising video has additional frames showing someone using a phishing website and browsing its pages, which were presented as official resources from the Russian Ministry of Economic Development.

During 2020, Doctor Web’s Internet analysts identified numerous fraudulent websites presented as official resources of state organizations. Cybercriminals most commonly offered non-existent compensation to targets or proposed that they invest in large companies.

To get the promised benefits, visitors were most often coaxed into entering their personal data including banking card details and proceed with the advance payment. Thus, victims lost money and unknowingly transferred their personal data to scammers.

Mobile devices

In 2020, Android devices users were threatened by various malicious and unwanted applications. For example, users often encountered all modifications of adware trojans displaying obnoxious notifications and banners. Many malicious programs of the Android.HiddenAds family were distributed via the Google Play catalog, including other channels. During the year, Doctor Web’s virus analysts identified dozens of these trojans on Google Play, which were downloaded by more than 3,300,000 users. Malicious applications of this type accounted for more than 13% of the total number of threats detected on Android devices.

In addition, in March, virus analysts discovered a multifunctional trojan on Google Play — Android.Circle.1, which received commands using BeanShell scripts and could also display ads. It was able to follow the links to download websites and click on banners placed there. Subsequently, the virus laboratory found other malware from this family.

Various trojan downloaders were also a common threat. They included a large number of malicious apps from the Android.RemoteCode family that downloaded and executed arbitrary code. This type of malware accounted for more than 14% of the total number of threats detected by Dr.Web on Android devices. In addition, trojans of the Android.DownLoader and Android.Triada families, which were able to download and install other applications, also threatended Android device users.

Potentially dangerous utilities that allow apps to run without installation were also widespread. They included the Tool.SilentInstaller and Tool.VirtualApk utilities. Malware creators actively used these tools to distribute various software, receiving rewards from partner services.

To spread malicious and unwanted applications, cybercriminals actively exploited the COVID-19 pandemic. For example, they created various fraudulent websites where victims were tricked into installing reference or medical apps related to the coronavirus, as well as applications for obtaining welfare assistance. In fact, spyware, various bankers, ransomware, and other malware were downloaded from such websites to the Android devices.

During the year, Doctor Web’s virus analysts identified many malicious applications of the Android.FakeApp family, designed to load fraudulent websites, in the Google Play catalog. The attackers passed off these trojans as reference books with information about social payments and compensation. Given the pandemic and the harsh economic situation, users were naturally interested in this kind of information, and many Android device users fell for the trick.

Also in 2020, the virus laboratory uncovered numerous Android applications that enable owner tracking. These apps could be used for cyber espionage and collecting a wide range of personal information — from correspondence, photos and documents, to personal contact lists, device location, contact information, phone conversations, etc.

Prospects and possible trends

The past year has demonstrated the steady spread of not only mass malware, but also APT threats faced by organizations worldwide.

Digital ransomware is expected to continue spreading in 2021, with targeted attacks using encryption ransomware increasingly targeting private companies and the corporate sector. The expansion of the RaaS model (Ransomware as a Service) has facilitated this development. Possible reductions in information security costs may also lead to the number of such incidents rising rapidly.

Banking and adware trojans, miners and encoders, as well as spyware will continue to threaten users in 2021. Besides that, new fraudulent schemes and phishing campaigns are likely to emerge with the help of attackers who will try to obtain money and personal data.

Owners of devices running macOS, Android, Linux, and other OS will remain targets and malware will continue to spread to these platforms. Attacks on IoT devices are also expected to become more frequent and sophisticated. So, it’s safe to say that cybercriminals will continue using any means necessary to continue developing these attacks. That being said, users need to comply with information security rules and apply reliable anti-virus tools on all devices.

January 19, 2021

Russian anti-virus company Doctor Web has updated its non-signature anti-virus Dr.Web KATANA 1.0, including Dr.Web KATANA (Business Edition). The update introduces support for server versions of Windows and includes minor tweaks and upgrades.

Now that Windows server versions are supported, Dr.Web KATANA is available under the Dr.Web Server Security Suite license to further enhance the security of file and application servers and keep them protected from brand-new threats.

The user guide has also been made current.

The update will be downloaded and installed automatically.

January 19, 2020

Doctor Web presents its annual mobile malware activity overview for 2020. Statistics from Dr.Web anti-virus products for Android revealed that Android device owners were primarily targeted last year by various adware trojans and malware that downloaded other software and were able to run arbitrary code. Users also encountered spyware and fraudulent software, banking trojans, and clickers that automatically opened web links. New threats have been uncovered on Google Play as well. Read more about these and other mobile security events in our overview.

Go to the review

January 19, 2021

Doctor Web presents its annual overview of malware activity for 2020. In the passing year, PC and mobile device users faced new malware attacks and online fraud, while organizations suffered targeted attacks and cyber espionage.

In 2020, major large-scale threats were not only the spread of malware, but also growing online fraud. According to statistics, Dr.Web anti-virus software most often neutralized various trojans, spyware, malicious scripts and numerous loaders that downloaded other dangerous and unwanted programs. The outgoing year was also marked by attacks on a number of enterprises and organizations. During an in-depth investigation Doctor Web virus analysts uncovered and studied many samples of specialized malware. Owners of Android mobile devices did not go unnoticed either; the attackers actively distributed malicious applications using various means including through the Google Play catalog. Read about these and other events in the final review of malware activity over the past year on our website.

Go to the review

January 11, 2021

Russian anti-virus company Doctor Web has updated SpIDer Agent for Windows (12.10.1.12251) in Dr.Web Security Space 12.0, Dr.Web Anti-virus 12.0, Dr.Web Anti-virus 12.0 for Windows Servers, Dr.Web Enterprise Security Suite 12.0 and Dr.Web AV-Desk 13.0.

Now the registration wizard displays up-to-date information about Dr.Web Security Space trial licenses.

The update will be downloaded and installed automatically.

December 31, 2020

Our December analysis of Dr.Web’s statistics revealed a 11.49% decrease in the total number of threats compared to the previous month. The number of unique threats also dropped by 24.51%. Adware and malware browser extensions still made up the majority of detected threats. Email traffic was dominated by various malware that includes the Trojan.SpyBot.699 banking trojan, an obfuscated stealer written in VB.NET and malicious programs exploiting vulnerabilities in Microsoft Office utilities.

The number of requests to decrypt files affected by trojan encoders decreased by 31.54% compared to November. Trojan.Encoder.26996 was the most active, accounting for 37.14% of all incidents.

According to Doctor Web’s statistics service

The most common threats in December:

Adware.SweetLabs.4

An alternative app store and add-on for Windows GUI from the creators of Adware.Opencandy.

Trojan.BPlug.3867

A malicious browser extension designed to perform web injections into viewed webpages and block third-party advertisements.

Adware.Elemental.17

Adware that spreads through file sharing services as a result of link spoofing. Instead of normal files, victims receive applications that display advertisements and install unwanted software.

Adware.Softobase.15

Installation adware that spreads outdated software and changes the browser settings.

Adware.Downware.19741

Adware that often serves as an intermediary installer of pirate software.

Statistics for malware discovered in email traffic

Trojan.SpyBot.699

A multi-module banking trojan that allows cybercriminals to download and launch various applications on an infected device and run arbitrary code.

Tool.KMS.7

Hacking tools used to activate illegal copies of Microsoft software.

W97M.DownLoader.2938

A family of downloader trojans that exploits vulnerabilities in Microsoft Office documents and can download other malicious programs to a compromised computer.

Trojan.PackedNET.405

An obfuscated version of a stealer written in VB.NET. It can be used as a keylogger and is designed to steal confidential data.

Exploit.ShellCode.69

A malicious Microsoft Office Word document that exploits the CVE-2017-11882 vulnerability.

Encryption ransomware

In December, Doctor Web’s virus laboratory registered 28.41% fewer requests to decode files encoded by trojan ransomware than in November.

• Trojan.Encoder.26996 — 37.14%
• Trojan.Encoder.567 — 20.00%
• Trojan.Encoder.29750 — 3.17%
• Trojan.Encoder.11549 — 1.27%
• Trojan.Encoder.30356 — 1.27%

Dangerous websites

In December 2020, Doctor Web added 105,840 URLs to the Dr. Web database of non-recommended websites.

Malicious and unwanted programs for mobile devices

In December, Dr.Web’s statistics for Android devices confirmed an almost 25.34% decrease in the total number of threats on protected devices compared with November. Users most often encountered adware trojans, as well as malicious applications that download other software and execute arbitrary code.

Another threat, Android.Joker.477, was detected in the Google Play catalog. It was hidden within an application with an image collection. It was capable of running arbitrary code and subscribing Android users to paid services.

Also in December, various banking trojans attacked users of Android devices.

The following December events related to mobile malware are the most noteworthy:

• A decline in malware activity on protected devices
• The detection of new malicious program on Google Play

Find out more about malicious and unwanted programs for mobile devices in our special overview.

December 31, 2020

Doctor Web presents its December 2020 mobile malware activity overview. In December, the number of threats detected on Android devices decreased by 25.34% compared to November. Adware trojans, malicious downloaders and trojans capable of executing arbitrary code were among the most common threats users encountered. With that, new malware was found on Google Play. Cybercriminals were again spreading banking trojans. Read more about these and other events in our December review.

Go to the review

December 31, 2020

In December, Dr.Web anti-virus products for Android detected 25.34% less threats than in November. According to detection statistics, the number of malware decreased by 25.35%, unwanted software by 21%, riskware by 68.1%, and adware by 25.01%. Android users most commonly encountered ad trojans, malware capable of executing an arbitrary code, and various downloader trojans.

In the middle of the month, Doctor Web malware analysts uncovered a multifunctional trojan on Google Play. Dubbed Android.Joker.477, this trojan was spread as a pictures collection app. The attacks involving various banking trojans such as Android.BankBot.684.origin and Android.BankBot.687.origin have also been observed. In some cases, cybercriminals disguised them as software that allegedly helps users receive government financial support during the COVID-19 pandemic.

According to statistics collected by Dr.Web for Android

Android.RemoteCode.284.origin

A malicious application that downloads and executes arbitrary code. Depending on its modification, it can load various websites, open web links, click on advertising banners, subscribe users to premium services and perform other actions.

Android.Triada.510.origin

A multifunctional trojan performing various malicious actions. This malware belongs to the trojan family that infects other apps’ processes. Some modifications of this family were found in the firmware of Android devices, which attackers implanted during manufacturing. Some of them can also exploit various vulnerabilities to gain access to the protected system files and folders.

Android.HiddenAds.1994

Android.HiddenAds.518.origin

Trojans designed to display obnoxious ads and distributed as popular applications. In some cases, they can be installed in the system directory by other malware.

Android.Click.348.origin

A malicious application that loads websites, clicks on banner ads, and follows links. It can be distributed as harmless programs without arousing suspicion among users.

Program.FreeAndroidSpy.1.origin

Program.NeoSpy.1.origin

Software that monitors Android user activity and may serve as a tool for cyber espionage. These apps can track device locations, collect information from SMS and social media messages, copy documents, photo and video, spy on phone calls, etc.

Program.FakeAntiVirus.2.origin

The detection name for adware programs that imitate anti-virus software. These apps inform users of non-existing threats, mislead them and demand they purchase the full version of the software.

Program.CreditSpy.2

The detection name for programs designed to assign credit ratings to users based on their personal data. These applications upload SMS, contact information from phonebooks, call history and other information to the remote server.

Program.KeyLogger.2.origin

An Android app that allows recording keystrokes. This program is not malicious itself, but can be used to spy on users and steal their confidential information.

Tool.Obfuscapk.1

The detection name for applications protected by the Obfuscapk obfuscation tool. This tool is used to automatically modify and scramble Android apps’ source code to make reverse engineering more difficult. Cybercriminals use the tool to protect malicious applications from being detected by anti-virus programs.

Tool.SilentInstaller.14.origin

Tool.SilentInstaller.6.origin

Tool.SilentInstaller.13.origin

Tool.SilentInstaller.8.origin

Riskware platforms that allow applications to launch APK files without installation. They create a virtual runtime environment that does not affect the main operating system.

Program modules incorporated into Android applications and designed to display obnoxious ads on Android devices. Depending on their family and modifications, they can display full screen ads and block other apps’ windows, show various notifications, create shortcuts and load websites.

• Adware.SspSdk.1.origin
• Adware.Adpush.36.origin
• Adware.Adpush.6547
• Adware.Myteam.2.origin
• Adware.Overlay.1.origin

Threats on Google Play

In December, Doctor Web malware analysts uncovered yet another trojan on Google Play. Dubbed Android.Joker.477, it was none other than a new modification of the Android.Joker trojan family. This malware was spread as a stock images collection app. But in actuality, it subscribed users to premium services and downloaded and executed an arbitrary code.

Banking trojans

The Android.BankBot.684.origin and Android.BankBot.687.origin bankers were among the threats spread last month. New modifications of these trojans discovered by Doctor Web specialists were targeting users from Turkey. This malware spread through bogus websites where potential victims could allegedly receive government financial support to help with the COVID-19 pandemic. To receive the money, users were asked to download and install special software which, in turn, was malware.

Once installed, bankers requested access to the Accessibility Service functions in order to gain more privileges. They then hid their icons from the apps list in the main screen menu and executed their main malicious routine. The bankers tried to steal confidential information through the phishing windows they displayed on-top of apps’ windows, intercepted SMS, could block the screen, and performed other malicious actions.

To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web for Android.

Your Android needs protection.

Use Dr.Web

• The first Russian anti-virus for Android
• Over 140 million downloads—just from Google Play
• Available free of charge for users of Dr.Web home products

Free download

December 31, 2020

Doctor Web presents its December 2020 overview of malware activity. The past month revealed a decrease in the total amount of threats by over 10% compared with November. According to statistics, adware, trojan installers, and malware browser extensions remained among the most common threats. Email traffic was dominated by a multi-module banker, an obfuscated version of a stealer with keylogging features, as well as by malware that exploits vulnerabilities in Microsoft Office programs. The number of user requests to decrypt files affected by encoders decreased by almost a third. Read more about these and other events in our December review.

Go to the review

December 29, 2020

Doctor Web is informing Dr.Web community members about a break in the publication of Anti-virus Times issues: the project is going to take its traditional holiday.

The next issue will be published in the new year 2021 — on January 11. We will continue to cover actual events in the field of information security (and beyond), providing accompanying commentary and, of course, recommendations that will help our readers protect their systems even from the most sophisticated Internet threats and cybercriminals.

Happy Holidays and Happy New Year! May you enjoy maximum protection from viruses (both real and computer) — and let's continue broadening our horizons together!

December 17, 2020

Russian anti-virus company Doctor Web has updated the Dr.Web Updater module (12.0.28.12011) in Dr.Web Security Space 12.0, Dr.Web Anti-virus 12.0, Dr.Web Anti-virus 12.0 for Windows Servers and Dr.Web Enterprise Security Suite 12.0. Furthermore, Dr.Web Security Space setup (12.10.4.12140) has been updated in Dr.Web Security Space 12.0. Dr.Web Anti-virus for Windows setup (12.10.4.12140) and Dr.Web Anti-virus for Windows servers setup (12.10.4.12140) have been brought up to date in Dr.Web Anti-virus 12.0 and Dr.Web Anti-virus 12.0 for Windows Servers, respectively. The updates deliver feature upgrades and resolve existing software issues.

Changes made to Dr.Web Updater:

• An issue preventing proxy servers from being used for updating in some situations has been resolved.

Changes made to Dr.Web Security Space setup, Dr.Web Anti-virus for Windows setup and Dr.Web Anti-virus for Windows servers setup:

• The application setup now checks whether the hashing algorithm SHA-256 is supported by the system;
• An issue that under certain circumstances could prevent the software from being installed from a network drive has been resolved;
• Also resolved was a defect causing the Modify and Remove setup dialogue to use a different language (other than the current application language).

The update will be downloaded and installed automatically.

December 17, 2020

Russian anti-virus company Doctor Web has updated the configuration script Lua-script main (11.5.2.12040) in Dr.Web Security Space 11.5, Dr.Web Anti-virus 11.5, Dr.Web Anti-virus 11.5 for Windows Servers, Dr.Web Enterprise Security Suite 10.1 and 11.0, and Dr.Web AV-Desk 10.1. Furthermore, Dr.Web Thunderstorm Cloud Client SDK (12.0.13.10230) has been updated in Dr.Web AV-Desk 10.1. The update resolves a known software issue.

Changes made to Lua-script main:

• The update addresses an issue preventing a system restart prompt from being displayed after certain modules were updated in Dr.Web Enterprise Security Suite 10.1 and Dr.Web AV-Desk 10.1

Dr.Web 11.5 for Windows, Dr.Web Enterprise Security Suite 10.1 and 11.0 will be updated automatically. A system restart will be required to apply the update for Dr.Web AV-Desk 10.1.

December 16, 2020

Our November analysis of Dr.Web’s statistics revealed a 1.75% decrease in the total number of threats compared to the previous month. With that, the number of unique threats increased by 5.26%. Users were mostly exposed to adware and trojan downloaders. Email traffic was dominated by various malware that includes a backdoor written in .NET, the Trojan.SpyBot.699 banking trojan, and malicious programs exploiting vulnerabilities in Microsoft Office utilities.

The number of requests to decrypt files affected by trojan encoders decreased by 3.08% compared to October. Trojan.Encoder.26996 was the most active, accounting for 36.68% of all incidents.

Threat of the month

In November 2020 Doctor Web virus analysts detected a phishing attack targeting corporate users. The attackers used social engineering to trick possible victims into opening malicious attachments. The emails in question contained trojan malware that covertly install and launch Remote Utilities software. The software components were also included in the attachment. In the event of a successful attack, the affected computers would be vulnerable to unauthorized remote control without any visual signs of a running program.

According to Doctor Web’s statistics service

The most common threats in November:

Adware.Elemental.17

Adware that spreads through file sharing services as a result of link spoofing. Instead of normal files, victims receive applications that display advertisements and install unwanted software.

Adware.Softobase.15

Installation adware that spreads outdated software and changes the browser settings.

Adware.Downware.19741

Adware that often serves as an intermediary installer of pirate software.

Trojan.LoadMoney.4022

A family of malware installers that deploys additional components on victims’ computers along with the required applications. Some trojan modifications can collect various information about the attacked computer and transmit it to hackers.

Trojan.InstallCore.3949

A family of obfuscated installers that uses unscrupulous methods to distribute the bundled software.

Statistics for malware discovered in email traffic

Tool.KMS.7

Hacking tools used to activate illegal copies of Microsoft software.

BackDoor.SpyBotNET.25

A backdoor written in .NET and designed to operate with a file system (to copy, create, delete catalogs, etc.), terminate processes, take screenshots.

Trojan.SpyBot.699

A multi-module banking trojan that allows cybercriminals to download and launch various applications on an infected device and run arbitrary code.

HTML.Fisher.284

An HTML phishing page that includes a form for filling in credentials to access an email account.

W97M.DownLoader.2938

A family of downloader trojans that exploits vulnerabilities in Microsoft Office documents and can download other malicious programs to a compromised computer. It is designed to download other malware onto a compromised computer.

Encryption ransomware

In November, Doctor Web’s virus laboratory registered 3.08% fewer requests to decode files encoded by trojan ransomware than in October.

• Trojan.Encoder.26996 — 36.68%
• Trojan.Encoder.567 — 10.03%
• Trojan.Encoder.29750 — 4.49%
• Trojan.Encoder.11464 — 1.85%
• Trojan.Encoder.30356 — 1.85%

Dangerous websites

In November 2020, the database of non-recommended and malicious websites was updated with 154,606 webpages.

Malicious and unwanted programs for mobile devices

In November, Dr.Web’s statistics for Android devices confirmed an almost 5.14% decrease in the total number of threats on protected devices compared with October.

Google Play is still vulnerable to hosting various malicious apps. In the past month Doctor Web virus analysts discovered other trojans within the catalog. They include modifications of Android.Joker capable of running arbitrary code and subscribing Android users to paid services. The multifunctional Android.Mixi.44.origin trojan was also spotted.

The following November events regarding mobile malware are the most noteworthy:

• A decline in malware activity on protected devices
• Detection of new trojans on Google Play

Find out more about malicious and unwanted programs for mobile devices in our special overview.

December 16, 2020

Doctor Web presents its November 2020 overview of malware activity. In November, the number of detected threats remained steady at October levels. According to statistics, adware and trojan installers remained among the most common threats. Email traffic was dominated by various malware that included a backdoor written in .NET, a multi-module banking trojan and programs, exploiting Microsoft Office vulnerabilities. The number of user requests to decrypt files affected by encoders decreased slightly. Read more about these and other events in our November review.

Go to the review

December 16, 2020

Dr.Web ant-virus products for Android detected 5.14% fewer threats compared to October. According to detection statistics, the number of malware found on protected devices decreased by 8.37%. The number of unwanted apps, riskware and adware, on the contrary, increased by 5.78%, 13.16% and 5.72% respectively.

The Android.Mixi.44.origin trojan was among the threats found on Google Play last month. It loads various websites and displays them on top of other app windows. The trojan also opens URLs and helps cybercriminals generate scam profits by using the app installations users perform.

Our specialists also discovered new modifications of the trojans from the Android.Joker family. They primarily function to download and execute arbitrary code, intercepting incoming notifications and subscribing users to premium mobile services without their knowledge or consent.

Threat of the month

In the middle of the November Doctor Web’s malware analysts uncovered the Android.Mixi.44.origin trojan. It was built into an eye care app and spread though Google Play. On the surface, the app does perform as described, but it also targets users maliciously.

For example, the Android.Mixi.44.origin can load websites and display them on top of the windows of other applications and the operating system UI, disrupting the device’s normal use. The contents of these websites varies from advertising banners and video clips to phishing pages.

This trojan also functions to silently open web links. To do so, malefactors send Android.Mixi.44.origin a list of URLs it needs to visit. This way, the trojan artificially increases the popularity of certain websites while its authors generate a profit.

What’s more, the trojan attempts to monetize recent app installations. For that, it tracks which applications the user installs and uninstalls. If the received commands contain links that lead to the Google Play apps’ pages, Android.Mixi.44.origin checks if these apps were installed earlier. If they were, the trojan sends the packet names of these applications, as well as the malware writers’ referrer ID, to the analytics service. By doing so, it aims to reassign credit to the cybercriminals for performed installations.

If the targeted apps haven’t been installed, the trojan remembers the information related to them and waits for the user to install these apps. Upon their installation, it attempts to trick the analytics service the same way.

Read more about Android.Mixi.44.origin in our news report published on Doctor Web’s website.

According to statistics collected by Dr.Web for Android

Android.Click.348.origin

A trojan that automatically loads websites and clicks on links and advertisement banners. It can be spread as a harmless app so users don’t perceive it as threatening.

Android.Triada.510.origin

Android.Triada.541.origin

Multifunctional trojans that perform various malicious actions. This malware belongs to the trojan family that infects other apps’ processes. Some modifications of this family were found in the firmware of Android devices, which attackers implanted during manufacturing. Some of them can also exploit various vulnerabilities to gain access to the protected system files and folders.

Android.RemoteCode.6122

A malicious application that downloads and executes arbitrary code. Depending on its modification, it can load various websites, open web links, click on advertisement banners, subscribe users to premium services and perform other actions.

Android.HiddenAds.518.origin

A trojan designed to display obnoxious ads and distributed as popular applications. In some cases, it can be installed in the system directory by other malware.

Program.FreeAndroidSpy.1.origin

Program.Reptilicus.7.origin

Program.Mrecorder.1.origin

Software that monitors Android user activity and may serve as a tool for cyber espionage. These apps can track device locations, collect information from SMS and social media messages, copy documents, photo and video, spy on phone calls, etc.

Program.FakeAntiVirus.2.origin

The detection name for adware programs that imitate anti-virus software. These apps inform users of non-existing threats, mislead them and demand they purchase the full version of the software.

Program.CreditSpy.2

The detection name for programs designed to assign credit ratings to users based on their personal data. These applications upload SMS, contact information from phonebooks, call history and other information to the remote server.

Tool.Obfuscapk.1

The detection name for applications protected by the Obfuscapk obfuscation tool. This tool is used to automatically modify and scramble Android apps’ source code to make reverse engineering more difficult. Cyber criminals use the tool to protect malicious applications from being detected by anti-virus programs.

Tool.SilentInstaller.14.origin

Tool.SilentInstaller.6.origin

Tool.SilentInstaller.13.origin

Tool.SilentInstaller.7.origin

Riskware platforms that allow applications to launch APK files without installation. They create a virtual runtime environment that does not affect the main operating system.

Program modules incorporated into Android applications and designed to display obnoxious ads on Android devices. Depending on their family and modifications, they can display full screen ads and block other apps’ windows, show various notifications, create shortcuts and load websites.

• Adware.Adpush.36.origin
• Adware.SspSdk.1.origin
• Adware.Adpush.6547
• Adware.Myteam.2.origin
• Adware.Toofan.1.origin

Threats on Google Play

With Android.Mixi.44.origin, Doctor Web’s virus analysts discovered several new modifications of the trojans from the Android.Joker family, which were added to the virus database as Android.Joker.418, Android.Joker.419, and Android.Joker.452. They were spread as harmless software, such as a translator app, an app with a collection of wallpapers, and as a tool with allegedly rich functionality such as a compass, a flashlight, a level, etc.

These trojans downloaded and executed an arbitrary code and were able to subscribe users to mobile premium services, intercepting confirmation codes from incoming notifications.

To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web for Android.

Your Android needs protection.

Use Dr.Web

• The first Russian anti-virus for Android
• Over 140 million downloads—just from Google Play
• Available free of charge for users of Dr.Web home products

Free download

December 16, 2020

Doctor Web presents its November 2020 mobile malware activity overview. The number of threats detected on Android devices decreased by 5.14% compared to October. With that, new trojans were found on Google Play, including Android.Mixi.44.origin. Among the other trojans uncovered in November was yet another modification of the Android.Joker multifunctional malware family. Read more about these and other events in our November review.

Go to the review

December 15, 2020

Russian anti-virus company Doctor Web has updated the drweb-openssl-libs1.1 (11.1.4-2012081902) and drweb-openssl (11.1.4-2012081902) modules in Dr.Web Anti-virus 11.1 for Linux, Dr.Web Anti-virus 11.1 for Unix Mail Servers, Dr.Web Anti-virus 11.1 for Unix Server, and Dr.Web Anti-virus 11.1 for Internet gateways Unix.

The products now support OpenSSL 1.1.1i.

The update is performed via the Dr.Web repository. If you encounter any problems when updating, please use the instructions from our previous news post to specify the additional repository for the Dr.Web software you’re using.

December 14, 2020

Russian anti-virus company Doctor Web has updated the Dr.Web Anti-rootkit API (12.5.17.202012070) in Dr.Web Security Space 12.0, Dr.Web 12.0 for Windows Servers and in Dr.Web Enterprise Security Suite 12.0.

The module's routines have been optimised.

The update will be downloaded and installed automatically.

December 11, 2020

In November 2020 Doctor Web virus analysts detected a phishing attack targeting corporate users. The emails in question contained trojan malware that covertly install and launch Remote Utilities software — a tool for remotely accessing another computer.

The samples can be divided into two groups:

• Self-extracting archives that contained the original Remote Utilities executable files and a malicious module loaded via DLL Hijacking. This module prevents the operating system from displaying the program’s windows and other signs of operation. Dr.Web detects it as BackDoor.RMS.180.
• Self-extracting archives that contained the original Remote Utilities installation module and a pre-configured MSI package that silently installs the remote access software and then sends a notification that it’s ready to be remotely connected to the server the attacker specified. Dr.Web detects it as BackDoor.RMS.181.

Attack scenario

Both groups of malware are united by the Remote Utilities software used and the layout of the phishing emails. These emails can be described as relatively well-written and lengthy Russian messages designed to entice recipients to open and read about various topics of interest. Also noteworthy, is that malicious payload is password protected, while the password itself is attached to the same email as the text file. The password is the date when the email was sent.

Here’s an example of an email with a malicious attachment that uses DLL Hijacking.

This email is disguised as an official notification requesting the recipient appear at the Prosecutor's office for investigative actions in a criminal case. It has a fake digital signature, which is just a random string in Base64.

The attached archive contains a protected RAR archive and a text file with a password to it.

An automatic password is set to protect the privacy of this attachment: 02112020

The archive named “Электронная повестка.гаг" contains the dropper as a self-extracting RAR archive, which in turn contains BackDoor.RMS.180.

Below is an example of an email with an attachment that uses the MSI package.

This email, disguised as a notification from a transport company regarding cargo arrival, asks the recipient to specify the shipping address. This email also contains a fake digital signature.

“Документы.гаг” contains dummy documents in addition to an archive with the malicious payload (BackDoor.RMS.181) and a password.

Due to corporate security policy, this attachment is protected with an access code: 12112020

During our research, we also uncovered a sample phishing email containing a link to a dropper that launched the Remote Utilities installation from a configured MSI package (detected by Dr. Web as BackDoor.RMS.187). This email implements a different malicious module with another infection method.

This email is disguised as a message from a job seeker with an attached CV. The "CV_resume.rar” attachment is a link to a compromised website that redirects the user to another resource to download a malicious archive with BackDoor.RMS.187.

Analyzing the network infrastructure attackers used to distribute BackDoor.RMS.187 allowed us to unearth several more compromised websites and a sample of the Trojan.Gidra malware. According to our data, the program Dr.Web detected as Trojan.GidraNET.1 was used to initially penetrate the system through a phishing email with further capabilities to upload a backdoor that silently installs the Remote Utilities software on a compromised computer.

For a detailed description of the malware used and how it works, see the Dr.Web Virus Library.

BackDoor.RMS.180
BackDoor.RMS.181
BackDoor.RMS.187
Trojan.GidraNET.1

Conclusion

The backdoors based on the remote desktop software remain a threat and are still widely used in corporate sector cyberattacks. In turn, phishing emails are the most common way to deliver payloads to targeted computers. Payload archiving using a password is a distinctive feature of malicious attachments. This allows messages to overcome mail servers’ built-in security tools. Another marker is the presence of a text file with a password to the bogus archive. In addition, using a malicious library and DLL Hijacking attack ensures unauthorized remote access software runs silently.

Indicators of compromise

December 10, 2020

Russian anti-virus company Doctor Web is proud to present the upgraded version of its interactive suspicious file analyser: Dr.Web vxCube 1.5.0. Now the analyser supports YARA rules for more effective threat detection and can be set to look for specific types of threats based on their particular properties. Thanks to threat and report tags, analysis results can now be better visualised. Furthermore, users don't need to extract EML files and archived content on their end to have it analysed. With new user profile features, setting up file analysis is now easier. Known issues have been resolved.

YARA rules

The YARA rules section is the main innovation in Dr.Web vxCube 1.5.0. With the rules, you can specify file analysis criteria, tag particular threat types automatically, and indicate a threat severity level for the files being analysed.

Take advantage of the advanced YARA features and you will be able to utilise all the data that passes through the analyser, including:

• File behaviour information;
• Registry entries in use;
• Types of files that the sample has created (src, dumb, drop, alloc, etc.) and much more.

In addition to the custom rules you add, in a new section, you will also be able to access the rules created by Doctor Web's malware researchers.

Report filters

You can now add tags to analysis report pages. This option is available for each operating system involved in the analysis. The tags are displayed in the journal and can be used to filter reports.

New user profile

The profile now lets you specify default analysis settings. The parameters you can define include:

• File execution duration;
• The operating system versions under which the file will be examined;
• The report archive password;
• Passwords for archives containing files to be analysed.

In addition, users can now see the existing API keys and create a new one as well as change their account password.

Email attachment and archive analysis

The service's API can now be used to analyse EML files and archives. The supported formats include: ZIP, ARJ, XZ, ACE, TAR, BZ2, CAB, GZ, RAR, 7z.

Keep the original filename or change it

In previous Dr.Web vxCube versions, analysed files were renamed automatically in the virtual environment. In the latest version, the file name remains unchanged by default. However, you can rename the file you are uploading.

Upgraded hypervisor

The hypervisor boasts more stable operation and has had its known issues resolved.

Dr.Web vxCube will be updated to version 1.5.0 on December 13 (Sunday) between 8 a.m. and 9 a.m. GMT. The service will be unavailable during this period.

To purchase a license, please contact our sales support service.

With a Dr.Web vxCube trial license, available here, you can examine 10 objects during the course of 10 days.

December 9, 2020

Russian anti-virus company Doctor Web has updated Dr.Web Security Space for Android to version 12.6.6. The update delivers feature upgrades and resolves known software issues.

Change log:

• Defects that prevented the anti-virus from operating normally in the centralized protection mode have been corrected;
• An issue that might cause the application to terminate abnormally has been fixed;
• Routines for detecting certain threat modifications have been upgraded;
• Minor tweaks and upgrades have been introduced.

If you downloaded the Dr.Web application from Google Play, the updates will be downloaded and installed automatically. If you’ve disabled automatic updating on your device, go to Google Play, select the Dr.Web Security Space or Dr.Web Security Space Life icon in the application list, and tap "Update”.

To update via the Doctor Web site, you need to download a new distribution file.

December 7, 2020

Russian anti-virus company Doctor Web has updated Dr.Web Updater (11.5.21.10090), Dr.Web Anti-rootkit API (11.5.14.202011060), and the Lua-script for updater module (11.5.3.10090) in Dr.Web Security Space 11.5, Dr.Web Anti-virus 11.5, Dr.Web Anti-virus 11.5 for Windows Servers and Dr.Web Enterprise Security Suite 11.0. Furthermore, Dr.Web for Outlook Plugin (11.5.4.202011250) has been updated in Dr.Web Security Space 11.5, Dr.Web Anti-virus 11.5, and Dr.Web Enterprise Security Suite 11.0. Meanwhile, Dr.Web Thunderstorm Cloud Client SDK (12.0.13.10230) has been brought up to date in Dr.Web 11.5 for Windows, and Dr.Web Enterprise Agent for Windows setup (11.5.12.09250) has been updated in Dr.Web Enterprise Security Suite 11.0. The update introduces new features, resolves known issues, and delivers minor upgrades.

Changes made to Dr.Web Updater:

• An issue preventing Dr.Web Security Space 11.5 and Dr.Web Anti-virus 11.5 from upgrading to version 12.0 automatically if a trial license was being used has been resolved.

Changes made to Lua-script for updater:

• An issue preventing Dr.Web Security Space 11.5 and Dr.Web Anti-virus 11.5 from upgrading to version 12.0 automatically if a serial number was unavailable has been resolved.

Changes made to Dr.Web Anti-rootkit API:

• A system freezing issue that could occur while a computer was being scanned has been eliminated.

Changes made to the Dr.Web for Outlook Plugin:

• A defect causing messages to be deleted while they were being moved to the quarantine has been eliminated.

Changes made to Dr.Web Enterprise Agent for Windows setup:

• A simplified Dr.Web Enterprise Security Suite installation procedure is now available in systems in which Dr.Web 12.0 software for Windows has already been installed;
• Dr.Web 11.5 can no longer be installed in unsupported systems (Windows ARM64).

A system restart will be required to update Dr.Web 11.5 for Windows software. Dr.Web Enterprise Security Suite 11.0 will be updated automatically.