The page may not load correctly.
January 19, 2021
In 2020, one of the most common threats users faced en masse were trojan droppers, which distribute and install other malware and numerous advertising applications that interfere with the normal functioning of devices. Various modifications of trojan downloaders running executable files with a set of malicious functions were also a common threat. In addition, hacker groups were actively distributing trojan programs that exploit the functionality of popular remote desktop software. The Doctor Web virus laboratory registered several RAT malware attacks, which allows attackers to remotely control infected computers and deliver a malicious payload.
Also this year, Doctor Web analysts investigated several large-scale, targeted attacks aimed at the corporate sector. During the investigation, several trojan families that infected the computers of various state institutions were discovered.
The most active threats among mail traffic included banking trojans, stealers, various modifications of backdoors written in VB.NET, as well as malicious scripts that redirected users to dangerous and unwanted websites. The attackers also used email to actively distribute programs that exploit vulnerabilities in Microsoft Office documents.
Even though most of the detected malware targeted Windows users, computer owners operating macOS were also at risk. During the year, macOS users were continually threatened by trojan encoders, spyware and rootkits that hid running processes. Disguised as various common and even useful applications, adware installers were also actively distributed. They functioned to place potentially dangerous payload onto computers. Users who disabled the built-in security systems and downloaded applications from untrusted sources were most at risk.
Android mobile device users were also threatened by adware, spyware and banking trojans, as well as all sorts of malicious droppers that downloaded other malicious applications and executed arbitrary code. Much of the malware was distributed via the Google Play catalog.
In February, Doctor Web virus analysts reported that the VSDC video editor’s download link had been compromised on the popular software platform CNET. Instead of the genuine program, visitors received a modified installer bundled with malicious software, allowing cybercriminals to access the infected computers remotely. The remote access was accomplished using the TeamViewer components and the BackDoor.TeamViewer malicious library, which established an unauthorized connection. Using the backdoor, attackers were able to deliver payload as other malicious applications to infected devices.
In the summer 2020, the Doctor Web virus laboratory released a large-scale study of malware used in APT attacks on government institutions in Kazakhstan and Kyrgyzstan. During the investigation, analysts discovered a previously unknown family of multi-module trojan programs called XPath, designed to gain entry into computers and then perform various malicious actions at the command of intruders. The trojan used a complex infection mechanism in which each program component corresponds to a specific stage of malware operation. The XPath family also has a rootkit for hiding network activity and any trace of its presence within a compromised system.
The Doctor Web virus laboratory later received new samples of malware found on the infected computers in the local network of a Kyrgyzstan state institution. The most interesting finding was a multi-module backdoor called ShadowPad, which according to our data, may be an evolution of another multi-module APT backdoor — PlugX, also previously found lurking in compromised state networks. Code similarities between the ShadowPad and PlugX malware samples, as well as some intersections in their network infrastructure, were covered in a separate study.
In September, Doctor Web reported the detection of a spear phishing campaign using social engineering, aimed at several Russian fuel and energy companies. For the initial infection, attackers used emails with malicious attachments. Upon being opened, backdoors were installed that allowed cybercriminals to take control of infected computers. Analysis of documents, malware, and the infrastructure used allowed us to conclude one of the Chinese APT groups carried out the attack.
In November, Doctor Web virus analysts detected a phishing attack targeting corporate users. The emails in question contained trojan malware that covertly install and launch Remote Utilities software. The software components were also included in the attachment. The attackers used social engineering to trick possible victims into opening the malicious attachments.
This email was disguised as an official notification requesting the recipient appear at the Prosecutor's office for investigative actions in a criminal case.
Analysis of Dr.Web’s statistics showed that in 2020, users were most often exposed to trojan droppers and downloaders that installed other malicious applications and executed arbitrary code. Additionally, trojans and scripts that covertly mine cryptocurrency on devices continued to threaten users.
Email traffic was dominated by bankers, backdoors and malware that exploit vulnerabilities in Microsoft Office programs. In addition, cybercriminals distributed scripts for concealed mining, as well as for phishing and redirecting users to unwanted and potentially dangerous sites.
In 2020, Doctor Web’s virus laboratory registered 18.4% fewer requests to decode files encoded by trojan ransomware than in 2019. See the request dynamics for 2020 below.
SpIDer Gate's Parental (Office) Control and Web Antivirus databases are regularly updated with new addresses of non-recommended and potentially dangerous websites. Many fraudulent and phishing resources, as well as malware distributing pages can be found there. The largest number of such websites was recorded in the third quarter, dropping to the lowest in the second quarter. See the dynamics of the updates to the databases over the last year below.
In February, Doctor Web experts warned users about the launch of a large-scale phishing campaign on Instagram. The campaign was based on messages to users about a one-off payment to all Russian citizens. Fraudsters provided information as extracts from news releases, using relevant fragments from real broadcasts. With that, the advertising video has additional frames showing someone using a phishing website and browsing its pages, which were presented as official resources from the Russian Ministry of Economic Development.
During 2020, Doctor Web’s Internet analysts identified numerous fraudulent websites presented as official resources of state organizations. Cybercriminals most commonly offered non-existent compensation to targets or proposed that they invest in large companies.
To get the promised benefits, visitors were most often coaxed into entering their personal data including banking card details and proceed with the advance payment. Thus, victims lost money and unknowingly transferred their personal data to scammers.
In 2020, Android devices users were threatened by various malicious and unwanted applications. For example, users often encountered all modifications of adware trojans displaying obnoxious notifications and banners. Many malicious programs of the Android.HiddenAds family were distributed via the Google Play catalog, including other channels. During the year, Doctor Web’s virus analysts identified dozens of these trojans on Google Play, which were downloaded by more than 3,300,000 users. Malicious applications of this type accounted for more than 13% of the total number of threats detected on Android devices.
In addition, in March, virus analysts discovered a multifunctional trojan on Google Play — Android.Circle.1, which received commands using BeanShell scripts and could also display ads. It was able to follow the links to download websites and click on banners placed there. Subsequently, the virus laboratory found other malware from this family.
Various trojan downloaders were also a common threat. They included a large number of malicious apps from the Android.RemoteCode family that downloaded and executed arbitrary code. This type of malware accounted for more than 14% of the total number of threats detected by Dr.Web on Android devices. In addition, trojans of the Android.DownLoader and Android.Triada families, which were able to download and install other applications, also threatended Android device users.
Potentially dangerous utilities that allow apps to run without installation were also widespread. They included the Tool.SilentInstaller and Tool.VirtualApk utilities. Malware creators actively used these tools to distribute various software, receiving rewards from partner services.
To spread malicious and unwanted applications, cybercriminals actively exploited the COVID-19 pandemic. For example, they created various fraudulent websites where victims were tricked into installing reference or medical apps related to the coronavirus, as well as applications for obtaining welfare assistance. In fact, spyware, various bankers, ransomware, and other malware were downloaded from such websites to the Android devices.
During the year, Doctor Web’s virus analysts identified many malicious applications of the Android.FakeApp family, designed to load fraudulent websites, in the Google Play catalog. The attackers passed off these trojans as reference books with information about social payments and compensation. Given the pandemic and the harsh economic situation, users were naturally interested in this kind of information, and many Android device users fell for the trick.
Also in 2020, the virus laboratory uncovered numerous Android applications that enable owner tracking. These apps could be used for cyber espionage and collecting a wide range of personal information — from correspondence, photos and documents, to personal contact lists, device location, contact information, phone conversations, etc.
The past year has demonstrated the steady spread of not only mass malware, but also APT threats faced by organizations worldwide.
Digital ransomware is expected to continue spreading in 2021, with targeted attacks using encryption ransomware increasingly targeting private companies and the corporate sector. The expansion of the RaaS model (Ransomware as a Service) has facilitated this development. Possible reductions in information security costs may also lead to the number of such incidents rising rapidly.
Banking and adware trojans, miners and encoders, as well as spyware will continue to threaten users in 2021. Besides that, new fraudulent schemes and phishing campaigns are likely to emerge with the help of attackers who will try to obtain money and personal data.
Owners of devices running macOS, Android, Linux, and other OS will remain targets and malware will continue to spread to these platforms. Attacks on IoT devices are also expected to become more frequent and sophisticated. So, it’s safe to say that cybercriminals will continue using any means necessary to continue developing these attacks. That being said, users need to comply with information security rules and apply reliable anti-virus tools on all devices.
Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.
2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125124
Doctor Web in social networksLink accounts