March 29, 2024
An analysis of Dr.Web anti-virus detection statistics for January 2024 revealed a 95.66% increase in the total number of threats detected, compared to December 2023. At the same time, the number of unique threats increased by 2.15%. Unwanted adware software and adware trojans were most frequently detected as were malicious programs distributed with other threats to make the latter more difficult to detect. In mail traffic, malicious scripts and phishing documents were most commonly observed.
The number of user requests to decrypt files affected by encoder trojans increased by 22.84%, compared to the last month of 2023. Victims of these malicious programs again most frequently encountered Trojan.Encoder.26996, Trojan.Encoder.3953, and Trojan.Encoder.37369. Their share of the total number of incidents recorded was 17.98%, 12.72%, and 3.51%, respectively.
In January 2024, Doctor Web’s specialists discovered a new family of unwanted adware for the Android operating system. Dubbed Adware.StrawAd, it was integrated into several programs distributed via Google Play. Our malware analysts uncovered many new Android.FakeApp trojan apps on Google Play as well; cybercriminals use these apps for fraudulent purposes.
Principal trends in January
- An increase in the total number of threats detected
- An increase in the number of user requests to decrypt files affected by encoder trojans
- The emergence of new threats on Google Play
According to Doctor Web’s statistics service
The most common threats in January:
- Adware.Downware.20091
- Adware that often serves as an intermediary installer of pirated software.
- Trojan.BPlug.3814
- The detection name for a malicious component of the WinSafe browser extension. This component is a JavaScript file that displays intrusive ads in browsers.
- Adware.Siggen.33194
- The detection name for a freeware browser that was created with an Electron framework and has a built-in adware component. This browser is distributed via various websites and loaded onto users’ computers when they try downloading torrent files.
- Trojan.AutoIt.1224
- The detection name for a packed version of the Trojan.AutoIt.289 malicious app, written in the AutoIt scripting language. This trojan is distributed as part of a group of several malicious applications, including a miner, a backdoor, and a self-propagating module. Trojan.AutoIt.289 performs various malicious actions that make it difficult for the main payload to be detected.
- Adware.SweetLabs.5
- An alternative app store and an add-on for Windows GUI (graphical user interface) from the creators of “OpenCandy” adware.
Statistics for malware discovered in email traffic
- JS.Inject
- A family of malicious JavaScripts that inject a malicious script into the HTML code of webpages.
- Exploit.CVE-2018-0798.4
- An exploit designed to take advantage of Microsoft Office software vulnerabilities and allow an attacker to run arbitrary code.
- Trojan.Inject4.30867
- A trojan designed to inject malicious code into the processes of other programs.
- Trojan.Siggen24.7712
- The detection name for malicious programs of various functionality.
- LNK.Starter.56
- The detection name for a shortcut that is crafted in a specific way. This shortcut is distributed through removable media, like USB flash drives. To mislead users and conceal its operation, its default icon is a disk. When launched, it executes malicious VBS scripts from a hidden directory located on the same drive as the shortcut itself.
Encryption ransomware
In January 2024, the number of requests made to decrypt files affected by encoder trojans increased by 22.84%, compared to December 2023.
The most common encoders of January:
- Trojan.Encoder.26996 — 17.98%
- Trojan.Encoder.3953 — 12.72%
- Trojan.Encoder.37369 — 3.51%
- Trojan.Encoder.35534 — 3.51%
- Trojan.Encoder.30356 — 2.63%
Dangerous websites
Over the course of the first month of 2024, Doctor Web’s malware analysts discovered more fraudulent finance-themed websites. These attracted potential victims by offering them the opportunity to become investors or to make money using certain supposedly profitable platforms. Malicious actors pass off such sites as official Internet resources of famous companies, like banks and oil and gas sector firms, to name a few. For this, fraudsters copy or use similar logos, names, and color schemes.
On such sites, visitors are asked to answer several questions and then to provide their personal data (first and last name, mobile phone number, email address, etc.) to “access” the service. All this confidential information may end up in third-party hands and could subsequently be used for illegal purposes.
The screenshot below depicts an example of one such fraudulent website. It informs the visitor that every Russian citizen can allegedly make 150,000 rubles per month. To start “earning money”, the user must provide their contact details.
Next, to “access” the investing platform, supposedly created in honor of the 100th anniversary of the USSR, the user is asked to take a survey and provide their personal data again:
At the end, the website tells the victim to wait for a call from “one of its employees”:
