Doctor Web’s November 2023 virus activity review

An analysis of Dr.Web anti-virus November detection statistics revealed an 18.09% decrease in the total number of threats detected, compared to October. At the same time, the number of unique threats also decreased by 13.79%. Among the most commonly detected threats were unwanted adware programs, adware trojans, and malicious apps that are distributed along with other threats to make the latter more difficult to detect. Email traffic was dominated by phishing documents. Also commonly encountered were malicious scripts, programs that exploit vulnerabilities in Microsoft Office documents, and various downloaders that download other malware onto target computers.

The number of user requests to decrypt files affected by encoder trojans increased by 6.98%, compared to October. Most often, users encountered Trojan.Encoder.3953, which accounted for 21.70% of all incidents recorded. In 21.20% of cases, users were attacked by Trojan.Encoder.26996. With a share of 8.94%, Trojan.Encoder.35534 again came in third.

In November, Doctor Web’s malware analysts discovered new malicious programs on Google Play. Among them were over 20 fake apps engaged in fraudulent schemes and a trojan that subscribed Android device owners to paid services.

According to Doctor Web’s statistics service

The most common threats in November:

Adware.Downware.20091

Adware that often serves as an intermediary installer of pirated software.

Adware.SweetLabs.5

An alternative app store and an add-on for Windows GUI (graphical user interface) from the creators of “OpenCandy” adware.

Adware.Siggen.33194

The detection name for a freeware browser that was created with an Electron framework and has a built-in adware component. This browser is distributed via various websites and loaded onto users’ computers when they try downloading torrent files.

Trojan.AutoIt.1224

The detection name for a packed version of the Trojan.AutoIt.289 malicious app, written in the AutoIt scripting language. This trojan is distributed as part of a group of several malicious applications, including a miner, a backdoor, and a self-propagating module. Trojan.AutoIt.289 performs various malicious actions that make it difficult for the main payload to be detected.

Trojan.BPlug.3814

The detection name for a malicious component of the WinSafe browser extension. This component is a JavaScript file that displays intrusive ads in browsers.

Statistics for malware discovered in email traffic

JS.Inject

A family of malicious JavaScripts that inject a malicious script into the HTML code of webpages.

W97M.Phishing.44

W97M.Phishing.53

W97M.Phishing.63

Microsoft Word phishing documents that target users who want to become investors. They contain links to fraudulent websites.

Exploit.CVE-2018-0798.4

An exploit designed to take advantage of Microsoft Office software vulnerabilities and allow an attacker to run arbitrary code.

Encryption ransomware

In November, the number of requests to decrypt files affected by encoder trojans increased by 6.98%, compared to October.

The most common encoders of November:

Trojan.Encoder.3953 — 21.70%

Trojan.Encoder.26996 — 21.20%

Trojan.Encoder.35534 — 8.94%

Trojan.Encoder.37369 — 3.40%

Trojan.Encoder.35067 — 2.98%

Dangerous websites

In November, Doctor Web’s Internet analysts detected no significant changes in cyberfraudster activity. Threat actors again tried luring potential victims to all sorts of fake websites, among which fraudulent investment sites and sites offering “free” lottery tickets and chances to participate in prize “draws” remained the most popular.

In the case of the former, users are encouraged to become investors, for which they need to provide their personal data. In the case of the latter, participating in so-called free lottery draws and online contests always ends in winnings. To get their prize, users allegedly need to pay a commission.

An example of a phishing site where a visitor is invited to become an investor:

An example of a fraudulent website that simulates a lottery drawing:

The user allegedly won 314,906 rubles and can go on to receive their winnings:

Malicious and unwanted programs for mobile devices

According to detection statistics collected by Dr.Web for Android, in November, Android.HiddenAds and Android.MobiDash adware trojans were detected less often on protected devices. Moreover, users were less likely to encounter banking trojans and malicious spyware programs.

Last month, Doctor Web’s specialists discovered many new malicious apps from the Android.FakeApp family, which malicious actors deployed to execute various fraudulent schemes. In addition, the specialists uncovered the Android.Subscription.21 trojan, which subscribed users to paid services.

The following November events involving mobile malware are the most noteworthy:

• A decrease in adware-trojan application activity,
• A decrease in banking trojans and spyware app activity,
• The emergence of new malicious programs on Google Play.

To find out more about the security-threat landscape for mobile devices in November, read our special overview.

The Anti-virus Times

Infinite horizons

read