Doctor Web’s June 2022 virus activity review

July 26, 2022

An analysis of Dr.Web’s June statistics revealed a 14.62% decrease in the total number of threats, compared to May. That said, the number of unique threats slightly increased, by 0.09%. In most cases, users continue encountering adware and unwanted software. In email traffic, malicious scripts, programs that exploit vulnerabilities in Microsoft Office programs, and trojan downloaders prevailed.

The number of user requests to decrypt files affected by encoders rose by 17.26%, compared to May. Trojan.Encoder.26996 was once again the most widespread encoder type, accounting for 33% of all incidents.

According to Doctor Web’s statistics service

The most common threats of the month:

Adware.Downware.19998

Adware that often serves as an intermediary installer of pirated software.

Adware.OpenCandy.247

Adware.OpenCandy.248

A family of applications that install other software on a system, including other adware.

Adware.SweetLabs.5

An alternative app store and Add-On for Windows GUI (graphical user interface) by the creators of “OpenCandy” Adware.

Adware.Ubar.20

A torrent client designed to install unwanted programs on a user’s device.

Statistics for malware discovered in email traffic

W97M.DownLoader.2938

A family of downloader trojans that exploit vulnerabilities in Microsoft Office documents. They can also download other malicious programs to a compromised computer.

Exploit.CVE-2018-0798.4

An exploit designed to take advantage of a Microsoft Office software vulnerability and allow an attacker to run arbitrary code.

JS.Redirector.435

A malicious script that redirects users to webpages controlled by fraudsters.

HTML.FishForm.311

A webpage spread via phishing emails. It is a bogus authorization page that mimics well-known websites. The credentials a user enters on the page are sent to the attacker.

Trojan.DownLoader44.63714

A trojan application which downloads its payload from OneDrive cloud storage. Once downloaded, this file is decrypted and executed.

Encryption ransomware

The number of user requests to decrypt files affected by encoders increased by 17.26%, compared to May.

• Trojan.Encoder.26996 — 32.99%
• Trojan.Encoder.25069 — 11.34%
• Trojan.Encoder.3953 — 8.06%
• Trojan.Encoder.567 — 7.30%
• Trojan.Encoder.11539 — 0.76%

Dangerous websites

Last month, Doctor Web’s specialists continued tracing massive spam campaigns involving the distribution of emails containing links to fraudulent websites. In particular, fake websites of well-known oil and natural gas companies remain extremely popular among cybercriminals. When visiting such online resources, potential victims are invited to become investors, receive free assets or participate in prize draws. To do so, users are asked to “register” an account by providing their name, mobile phone number, and other personal information. In other cases, they need to pay for an allegedly required service, like a tax fee, a commission for transferring “winnings”, or currency conversion. In the end, victims of such scams receive nothing they were promised, and only ending up sending confidential data to malicious actors and losing money.

An example of an unwanted email containing a link to a fraudulent website and step-by-step instructions for users:

Examples of fraudulent websites offering registration, after which users will allegedly have a profitable natural gas trading opportunity:

Malicious and unwanted programs for mobile devices

In June, we saw the continued decrease in activity on the part of the Android.Spy.4498 trojan, which hijacks information from other apps’ notifications. However, this malware remains the most widespread Android threat. The activity of adware trojans also decreased, compared to May.

During June, our specialists discovered a large number of malicious applications on Google Play. Among them were Android.HiddenAds adware trojans, Android.FakeApp fraudulent apps, and trojans from the Android.PWS.Facebook family. The latter are designed to steal users’ Facebook logins and passwords. In addition, our malware analysts uncovered other trojans from the Android.Joker family that subscribe victims to paid mobile services.

The following June events related to mobile malware are the most noteworthy:

• A decrease in Android.Spy.4498 activity;
• A decrease in adware trojan activity;
• The discovery of a large number of malicious apps on Google Play.

Find out more about malicious and unwanted programs for mobile devices in our special overview.