March 15, 2022
In January, the number of user requests to decrypt files affected by encoders increased by 72.15% compared with December. Trojan.Encoder.26996 was the most active, accounting for almost one-third of all incidents.
Principal trends in January
- Malware activity decrease
- Adware remains among the top threats.
- User requests to decrypt files affected by encoders witness an increase.
According to Doctor Web’s statistics service
The most common threats in December:
- Adware.SweetLabs.5
- An alternative App Store and Add-On for Windows GUI (graphical user interface) by the creators of Adware, like “OpenCandy".
- Adware.Downware.19998
- Adware.Downware.19985
- Adware that often serves as an intermediary installer of pirate software.
- Adware.OpenCandy.247
- A family of applications that install other software on the system.
- Trojan.AutoIt.961
- A malicious utility program written in AutoIt language and distributed as part of a miner or RAT trojan.
Statistics for malware discovered in email traffic
- W97M.DownLoader.2938
- A family of downloader trojans that exploit vulnerabilities in Microsoft Office documents. It can also download other malicious programs to a compromised computer. It’s designed to download more malware onto a compromised computer.
- BackDoor.SpyBotNET.25
- A backdoor written in VB.NET and designed to operate with a file system (to copy, create, delete catalogs, etc.), terminate processes, and take screenshots.
- HTML.FishForm.273
- A web page spread via phishing emails. It is a bogus authorization page that mimics well-known websites. The credentials a user enters on the page are sent to the attacker.
- Exploit.ShellCode.69
- A malicious Microsoft Office Word document that exploits the CVE-2017-11882 vulnerability.
- Trojan.PackedNET.1156
- Packed malware.
Encryption ransomware
User requests to decrypt files affected by encoders increased by almost 72.15% compared to December.
- Trojan.Encoder.26996 — 32.11%
- Trojan.Encoder.3953 — 12.55%
- Trojan.Encoder.567 — 7.75%
- Trojan.Encoder.11539 — 2.21%
- Trojan.Encoder.30356 — 1.48%
Dr.Web Security Space for Windows protects against encryption ransomware
Dangerous websites
In January 2022, fraud investment sites drew Doctor Web’s analysts’ attention. These sites disguise themselves as some of the biggest oil companies and banks. Fraudsters offer potential victims opportunities to "achieve their dreams" and "start earning" via Gazprombank.
The screenshot shows a phishing site offering the user to take a test to gain access to the platform.
Malicious and unwanted programs for mobile devices
According to the detection statistics of Dr.Web anti-virus products for Android, last month the trojan Android.Spy.4498 became the most frequent "guest" on Android devices. This malware steals information from other applications’ notifications. It can also download other applications and show dialog boxes with a lot of content. Advertising trojans are still the leaders in terms of the number of detections. At the same time, we’ve seen a decrease in the number of attacks by trojans capable of downloading and executing arbitrary code.
In January, Doctor Web threats analysts detected new threats in the Google Play catalog. Among them are regular fraudulent programs from the Android.FakeApp family. They also found Trojans from the Android.Subscription family. These trojans subscribe users to paid services. Lastly, they found a Trojan that steals the data needed to hack into Facebook accounts. The last one was added to VMS as Android.PWS.Facebook
The following January events related to mobile malware are the most noteworthy:
- Wide distribution of a spying trojan Android.Spy.4498;
- High activity of adware trojans;
- Decreased activity of trojans that download and execute arbitrary code;
- New malicious applications emerge on Google Play.
Find out more about malicious and unwanted programs for mobile devices in our special overview.
