An analysis of Dr.Web anti-virus detection statistics for February 2024 revealed a 1.26% increase in the total number of threats detected, compared to January. At the same time, the number of unique threats decreased by 0.78%. Once again various ad-displaying trojans and unwanted adware programs occupied the leading positions in terms of the number of detections. Moreover, malicious apps that are distributed with other threats to make them more difficult to detect remained highly active. In email traffic, malicious scripts, phishing documents, and programs that exploit vulnerabilities in Microsoft Office software were most commonly detected.
The number of user requests to decrypt files affected by encoder trojans decreased by 7.02%, compared to the previous month. The most common malware behind the ransom attacks were Trojan.Encoder.3953 (18.27% of incidents), Trojan.Encoder.37369 (9.14% of incidents), and Trojan.Encoder.26996 (8.12% of incidents).
In the mobile threats department, Android.HiddenAds adware trojans were again the most commonly detected malware, with highly increased activity.
Principal trends in February
- An increase in the total number of threats detected
- The predominance of malicious scripts and phishing documents in malicious email traffic
- A decrease in the number of user requests to decrypt files affected by encoder trojans
- An increase in the number of Android.HiddenAds adware trojans on protected devices
Encryption ransomware
In February 2024, the number of requests made to decrypt files affected by encoder trojans decreased by 7.02%, compared to January.
The most common encoders of February:
- Trojan.Encoder.3953 — 18.27%
- Trojan.Encoder.35534 — 9.14%
- Trojan.Encoder.26996 — 8.12%
- Trojan.Encoder.29750 — 0.51%
- Trojan.Encoder.37400 — 0.51%
Dangerous websites
In February 2024, Doctor Web’s Internet analysts continued to identify unwanted websites of various subject matter. For example, sites informing potential victims that some money transfers were allegedly waiting for them were popular with cybercriminals. To “receive” these funds, users must pay a bank transfer “commission”. Links to such websites are distributed in various ways, including via posts on the Telegraph blog platform.
Below is an example of one such publication. Potential victims are asked to “collect” the reward that they supposedly earned after participating in an online store survey:
Upon clicking on the “GET A PAYMENT” (“ОФОРМИТЬ ВЫПЛАТУ”) link, the user is redirected to a scam website of some non-existent “International Payment and Transfer System” (“Международная Система Платежей и Переводов”), where they are supposedly able to receive the promised funds:
To “receive” the money, the user must first provide personal information, such as their name and email address. Then, they need to pay a “commission” via the legitimate Faster Payments System (“Система быстрых платежей”, “СБП”, or “SBP”) so that the reward, which, in fact, does not exist, can be “transferred” to them. At the same time, scammers ask the victim to pay the “commission” via an online bank, using the specified bank card number; all that while, the Faster Payments System allows transfers only by mobile phone number. In this case, the fraudsters may deliberately be speculating on a money-transfer method that is gaining popularity in Russia, counting on the low financial literacy of users. If the victim agrees to pay the “commission”, they will transfer their own money directly to the scammers’ bank card. However, it is possible that in an attempt to steal users’ money, malicious actors will actually begin using the Faster Payments System in the future.
