The page may not load correctly.
January 21, 2022
Among the email threats, the most popular were stealers and various backdoor modifications written in VB.NET. Cybercriminals were also actively distributing malicious PDFs, trojan downloaders, and web pages. These pages represent a credential entry form that simulates authorization on well-known sites. Some of the threats spread through mail accounted for programs that exploit various vulnerabilities in Microsoft Office documents.
In 2021, Doctor Web Virus Lab published several research pieces. One of them was the research of Spyder, a module backdoor for targeted attacks. Our experts recorded that the Winnti hacker group used this sample to attack corporations in Central Asia.
Last year, Doctor Web analysts also investigated targeted attacks on Russian research institutes. During the research, we uncovered the unauthorized presence of the APT group, whose activities remained hidden for almost 3 years.
However, cybercriminals have not limited themselves to the Windows platform. Android users were regularly attacked. Cybercriminals were actively distributing trojans in the Google Play catalog, and we also discovered the first trojans on AppGallery. The most popular threats to mobile devices were spying apps, banking trojans, malware downloaders, and trojans capable of executing code.
In March, Doctor Web specialists released large-scale research of a modular backdoor designed for targeted attacks. A Central Asian telecommunication company contacted our virus laboratory. We found that the Winnti hacker group had compromised their network. The backdoor we considered for targeted attacks, the BackDoor.Spyder.1, was remarkable because its code doesn’t perform direct malicious functions. One of the main issues with this trojan is that it functions discreetly in the infected system. It also establishes a connection with the control server and waits for operator commands.
A month later, Dr.Web specialists published another research. A Russian research institute asked us for help–employees noticed some technical problems that indicated the presence of malware on a local network server. Virus analysts found that the research institute was attacked by multiple backdoors, including BackDoor.Skeye and BackDoor.DNSep. It’s noteworthy that the network was first compromised back in 2017. Since then, it has faced numerous attacks by several hacker groups at once.
In the summer, Doctor Web shared information about the critical vulnerabilities in the Windows print manager. These vulnerabilities affected all popular versions of the operating system. Cybercriminals exploited the victims’ computers for their own purposes. For example, they downloaded malicious encoders demanding a ransom for decrypting corrupted files. The CVE-2021-34527 and CVE-2021-1675 vulnerabilities are called PrintNightmare. Official patches soon appeared for them both.
The massive introduction of vaccine QR codes marked the beginning of autumn. This technology allowed fraudsters to become more active. Cybercriminals often faked the Russian Federation Government Services Portal site (Gosuslugi). Cybercriminals often faked the Russian Federation Government Services Portal site (Gosuslugi). They designed phishing sites to steal people’s credentials, then used them to perform unauthorized actions on behalf of the victims. The number of phishing sites has increased unexpectably by almost 30%. Hundreds of fake sites fill the Dr.Web SpIDer Gate database during the most active days.
The coronavirus agenda maintenance continued in December. Cybercriminals created vaccination QR code generators. Users who downloaded the malicious programs received several trojans at once. The downloaded archive contained an executable file, which the miner and clipper delivered to the victim's computer.
In 2021, the Log4j 2 logging library vulnerability also threatened users. The most critical vulnerability, Log4Shell (CVE-2021-44228), is based on Log4j 2 log message generation. When the messages are generated in a specific way, a call to a server controlled by the attackers occurs, followed by the code’s execution. Through these vulnerabilities, cybercriminals spread miners, backdoors, and Trojan-DDoS. Our products successfully detect the malware payload that penetrates devices through the Log4j 2 vulnerabilities.
An analysis of Dr.Web’s statistics showed that in 2021, users were most often exposed to trojan droppers that installed other malicious applications. Various backdoors and trojans designed for hidden mining also threatened users throughout the years.
Bankers, backdoors, and malware that exploit office document vulnerabilities dominated email traffic. Besides that, cybercriminals sent fake entry forms and malicious PDF files in phishing emails.
In 2021, Doctor Web’s virus laboratory registered 26.6% fewer requests to decode files encoded by trojan ransomware than in 2020. Let’s see the request dynamics for 2021 below.
In 2021, Doctor Web analysts found many dangerous sites, most of which were related to QR codes. In May, we discovered pages that allowed users to buy fake documents, like vaccination certificates. The fraudsters have even published articles on their sites to expose other cybercriminals to disguise their illegal activities.
Since then, attackers have stuck to the coronavirus topic, creating new websites and resources every month for users to buy or generate a QR code. In the summer, Doctor Web specialists found private chats where cybercriminals offer QR codes for sale. Fraudsters confirm the procedure’s "safety” with enthusiastic reviews from those who have allegedly already bought a vaccination certificate.
In the wake of the coronavirus theme, attackers were distributing fake QR code generators. We should remember that we can’t receive the vaccination certificate in any special way. It’s only generated through a link to a specific page of the Gosuslugi portal or the information system of a constituent entity of the federation concerning a citizen's immunization fact.
According to the stats Dr.Web for Android anti-virus products, in 2021, Android OS users most often encountered trojans of the Android.HiddenAds family. These displayed all kinds of advertisements. They accounted for more than 83% of all malicious applications detected on protected devices. Trojans have become widespread, with their main function being to download other programs and download and run arbitrary code. Compared to 2020, the banking trojans’ activity has increased by 43%.
The most active programs among the unwanted applications were those of the Program.FakeAntiVirus family. These imitate anti-virus operations. They allow users to purchase their full versions, apparently to cure detected infections. We also found various software that allows you to track their owners on Android devices.
The number of detected potentially dangerous tools has increased by more than 53%. They include tools like Tool.SilentInstaller, which can launch Android applications without installing them. While they may be used for harmless purposes they can also distribute trojans. We detected all kinds of adware modules and adware programs quite often–their share exceeded 10% of all detected threats.
Over the past month, Doctor Web virus analysts have discovered many threats on the Google Play catalog. Among them are fake applications of the Android.FakeApp family, which cybercriminals use in many fraudulent schemes. We also found the Android.Joker Trojans, which can download and execute arbitrary code and automatically subscribe users to paid mobile services. We also detected adware trojans, adware apps, and banking trojans. Besides that, cybercriminals also distributed malicious programs from the Android.PWS.Facebookfamily that stole data necessary to hack Facebook accounts.
We discovered trojans in the AppGallery catalog for Huawei's Android devices for the first time. They were familiar trojans of the Android.Joker family and the malicious module Android.Cynos.7.origin, which collected users' mobile numbers and displayed ads.
Among the threats our specialists found in 2021, was the Android.Triada.4912 trojan. Cybercriminals built it into one of the APKPure application versions, which is the client software for the Android programs alternative catalog of the same name. It downloaded various websites, other malicious modules, and various applications. What’s more, Doctor Web virus analysts have discovered a new family of modular banking Trojans: Android.BankBot.Coper. They intercept and send SMS messages, execute USSD requests, lock and unlock the screen, show push notifications and phishing windows, can uninstall programs, intercept information entered on the keyboard, and perform other malicious actions.
Last year, Doctor Web also analyzed the popular children’s smartwatch models in Russia, looking for possible vulnerabilities. The research showed that the safety level in these devices is unsatisfactory. For example, one of the models had pre-installed trojan applications.
First of all, the past year has shown how quickly cybercriminals can adapt to one or another relevant topic. We should expect even more sophisticated scams involving covid or the coming year’s other major themes.
What’s more, adware trojans, all kinds of ransomware, and other malware will remain active. Corporations and big companies should be more mindful of information security in this new year. As practice shows, neglecting digital security rules greatly increases the risks of compromising a corporate network. We’ll remember the year 2021 for its numerous "high-profile" incidents with ransomware trojans spreading through the Ransomware as a Service (RaaS) model. This trend will continue to gain momentum.
Android OS device users should also pay attention. The number of threats in the official app catalogs is expected to increase.