Doctor Web’s December 2021 virus activity review

January 28, 2022

Our December analysis of Dr.Web’s statistics revealed a 34% increase in the total number of threats compared to the previous month. The number of unique threats decreased by 15%. Nonetheless, adware still made up the majority of detected threats. These threats manifested with different types of malware. A variety of malware, including backdoors, was most often distributed in mail traffic.

In December, the number of user requests to decrypt files affected by encoders decreased by 41.3% compared with November. Trojan.Encoder.26996 was the most active, accounting for almost one-third of all incidents.

According to Doctor Web’s statistics service

The most common threats in December:

Adware.SweetLabs.5

An alternative App Store and Add-On for Windows GUI (graphical user interface) by the creators of Adware, like “OpenCandy".

Adware.Downware.19998

Adware.Downware.19985

Adware that often serves as an intermediary installer of pirate software.

Adware.Elemental.17

Adware that spreads through file-sharing services as a result of link spoofing. Instead of normal files, victims receive applications that display advertisements and install unwanted software on their devices.

Adware.OpenCandy.247

A family of applications that install other software on the system.

Statistics for malware discovered in email traffic

W97M.DownLoader.2938

A family of downloader trojans that exploit vulnerabilities in Microsoft Office documents. It can download other malicious programs and other malware to a compromised computer.

BackDoor.SpyBotNET.25

A backdoor written in VB.NET. It can operate with a file system (copy, create, delete catalogs, etc.), terminate processes, and take screenshots.

Trojan.DownLoader34.24881

A malicious program that downloads unwanted applications to a victim's computer.

HTML.FishForm.209

A web page spread via phishing emails. It’s a bogus authorization page that mimics well-known websites. The attacker receives the credentials a user enters on the page.

BackDoor.RatNet.2

A backdoor that reads passwords stored in the browser.

Encryption ransomware

User requests to decrypt files affected by encoders decreased by almost 41.3% compared to November.

• Trojan.Encoder.26996 — 29.3%
• Trojan.Encoder.567 — 16.16%
• Trojan.Encoder.3953 — 11.62%
• Trojan.Encoder.11539 — 1.52%
• Trojan.Encoder.28501 — 1.52%

Dangerous websites

In December 2021, Doctor Web’s analysts noticed increased fraud banking sites disguised as the official pages of Russian regional banks. Fraudsters create pages that are as similar as possible to official banking resources. These pages ask the victim to enter a login and password, and install a "convenient mobile application”.

The screenshot shows the main page of a phishing site. This site is based on the official website of Ak Bars Bank.

Malicious and unwanted programs for mobile devices

In December, Doctor Web analysts discovered adware trojans and other malicious programs that threatened Android users. These programs download applications capable of executing arbitrary code. At the same time new threats were found in Google Play catalog. These were fake programs that the attackers used in various fraudulent schemes, and Trojans that subscribe victims to paid mobile services.

The following are the most noteworthy December events related to mobile malware:

• Advertising trojans and adware remain amongst the most active threats
• Emergence of new malicious applications on Google Play

Find out more about malicious and unwanted programs for mobile devices in our special overview.