December 23, 2022
The number of user requests to decrypt files affected by encoders decreased by 6.8%, compared to October. Victims of encoders were most often targeted by Trojan.Encoder.26996, which caused 28.24% of all recorded incidents. The second most common encoder malware was Trojan.Encoder.3953, with a share of 22.19%. The culprit behind 2.88% of the cases where user file damage was detected was Trojan.Encoder.567, which took third place.
During November, Doctor Web’s malware analysts discovered a large number of new threats on Google Play. Among them were malware that loaded fraudulent websites and trojans that subscribed victims to paid services.
Principal trends in November
- A decrease in the total number of detected threats
- A decrease in the number of user requests to decrypt files affected by encoder trojans
- Once again threats were identified on Google Play
According to Doctor Web’s statistics service
The most common threats of the month:
- Adware.SweetLabs.5
- An alternative app store and an add-on for Windows GUI (graphical user interface) from the creators of “OpenCandy” adware.
- Adware.Downware.20091
- Adware.Downware.20088
- Adware.Downware.20261
- Adware.Downware.20272
- Adware that often serves as an intermediary installer of pirated software.
Statistics for malware discovered in email traffic
- JS.Inject
- A family of malicious JavaScripts that inject a malicious script into the HTML code of webpages.
- W97M.DownLoader.2938
- A family of downloader trojans that exploit vulnerabilities in Microsoft Office documents. They can also download other malicious programs to a compromised computer.
- Exploit.CVE-2018-0798.4
- An exploit designed to take advantage of a Microsoft Office software vulnerability and allow an attacker to run arbitrary code.
- Trojan.Packed2.44597
- A downloader trojan written in C#. It downloads a wide range of malicious apps on targeted computers. Among them are members of such families as Formbook, SnakeKeylogger, AgentTesla, Redline, and AsyncRAT, to name a few.
- Adware.Downware.19998
- Adware that often serves as an intermediary installer of pirated software.
Encryption ransomware
In November, the number of requests to decrypt files damaged by encoder trojans decreased by 6.8%, compared to the previous month.
- Trojan.Encoder.26996 — 28.24%
- Trojan.Encoder.3953 — 22.19%
- Trojan.Encoder.567 — 2.88%
- Trojan.Encoder.34027 — 2.31%
- Trojan.Encoder.30356 — 1.73%
Dangerous websites
In November, Doctor Web’s Internet analysts continued detecting phishing mailings and attacks involving various fraudulent websites. Once again among such sites were noted those that misled users with allegedly beneficial offerings. These included receiving free lottery tickets or participating in various promotions from famous companies and online stores.
The screenshots below depict an example of a fraudulent site which, based on a script, simulates a lottery draw and informs users of their win. To “receive” the money, a potential victim is asked to pay a commission or a fee. If the user believes this and agrees to pay, their money will end up in the scammers’ pockets. Moreover, the user will risk disclosing their bank card information.
The next image shows a fake site of a large Russian retailer, where a potential victim of the scammers is offered the chance to participate in a New Year’s promotion with the prospect of receiving a gift. First, the user must take a poll and then play a mini game and guess which box contains the prize. Similar to the previous example, the win in this case is also predetermined. To “obtain” the gift, the user must share the link they are given with a certain number of contacts or groups on WhatsApp messenger. The trick here is that such a link will lead not to the current site as the victim would assume, but to some other site instead. Among others, this could be a website with phishing or ads, or a site that distributes malicious software. Once the misled user shares the dubious website’s link with many of their contacts, they will see a message with false information stating that their application to participate in the promotion is allegedly being processed.
Malicious and unwanted programs for mobile devices
According to detection statistics collected by Dr.Web anti-virus for Android, the activity of banking trojans and adware-displaying malware increased in November. At the same time, users were less likely to come across apps with built-in unwanted adware modules.
Over the course of last month, our malware analysts discovered dozens of new malicious apps on Google Play. Among them were many fake apps from the Android.FakeApp family, which attackers use in various fraudulent schemes. Also discovered were trojans from the Android.Joker and Android.Subscription families—these subscribe victims to paid services.
The following November events involving mobile malware are the most noteworthy:
- An increase in the activity of adware trojans and banking trojans;
- New threats were discovered on Google Play.
Find out more about malicious and unwanted programs for mobile devices in our special overview.
