The page may not load correctly.
September 29, 2017
In September, numerous media outlets reported that cybercriminals had actively started exploiting user browsers to illegally mine cryptocurrencies. The most popular cryptocurrency among cybercriminals is Monero (XMR).
The miner, written in JavaScript, was added to the Dr.Web virus databases under the name Tool.BtcMine.1046. When users visited certain websites, the JavaScript integrated into the webpage code would start mining the cryptocurrency. According to user reports, at that moment the CPU load reached 100% and went back to normal values only after they shut down the browser window. It is hard to say whether this incident is the result of a website hacking or website owners deliberately injecting the miner into their sites. Currently, when users try to visit webpages containing such scripts, Dr.Web Anti-virus warns them that it has detected potentially dangerous content.
Soon thereafter one more similar instrument, this one dubbed Tool.BtcMine.1048, was added to the virus database. This miner was also written in JavaScript. Perhaps, it was supposed to be an alternative to monetization via advertising. However, it was used without the explicit consent of website visitors. In other words, this technology can be used either legally or for criminal earnings. Such scripts can be injected into a website’s code not only by website owners but also with the assistance of unscrupulous advertisers or as a result of hacking. In addition, the function for mining cryptocurrency can also be implemented in plugins installed by users on their browsers.
Also in September, security specialists detected vulnerabilities in the Bluetooth protocol stack, and Doctor Web analysts discovered that cybercriminals were using the Internet of things (Iot) for mass spam mailings.
Doctor Web has already published an article about the malicious program Linux.ProxyM, which launches a SOCKS proxy server on the Linux devices it infects. Builds of this Trojan exist for devices possessing the following architectures: x86, MIPS, MIPSEL, PowerPC, ARM, Superh, Motorola 68000, and SPARC. This means the Trojan is capable of operating on numerous “smart” devices, such as routers, set-top boxes, etc. Virus analysts have established that cybercriminals are using infected devices to distribute spam that advertises adult content resources. A device infected with Linux.ProxyM sends on average about 400 emails per day. The activity of this botnet is illustrated in the graph below:
Most of the devices infected with Linux.ProxyM that are being used to carry out the attacks are from Brazil. The United States and Russia were ranked second and third respectively.
More information about Linux.ProxyM can be found in an article published by Doctor Web.
In September, cases involving the following ransomware modifications were registered by Doctor Web’s technical support service:
During September 2017, 298,324 URLs of non-recommended websites were added to the Dr.Web database.
August 2017 | September 2017 | Dynamics |
---|---|---|
+ 275,399 | + 298,324 | +8.32% |
In September, information surfaced that a group of dangerous BlueBorne vulnerabilities implemented with the Bluetooth protocol had been identified. Various devices, including Android smartphones and tablets, were affected. These vulnerabilities allow criminals to gain full control over attacked devices, execute arbitrary code, and steal confidential information. Also in the past month, Google Play was infiltrated by the Trojan Android.BankBot.234.origin which is designed to steal bank card information.
Among the most notable September events related to mobile malware:
Find out more about malicious and unwanted programs for mobile devices in our special overview.