My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Doctor Web’s September 2023 virus activity review

October 26, 2023

An analysis of Dr.Web September detection statistics revealed a 0.44% decrease in the total number of threats detected, compared to August. The number of unique threats also decreased— by 11.98%. Adware trojans and adware programs again were among the most popular threats. In email traffic, malicious scripts, phishing documents, and software that exploit vulnerabilities in Microsoft Office documents were detected most often.

The number of user requests to decrypt files affected by encoder trojans decreased by 19.64%, compared to the previous month. The most common encoder in September was Trojan.Encoder.26996, which accounted for 24.64% of incidents recorded. The August leader, Trojan.Encoder.3953, ranked second; users encountered this trojan in 19.43% of cases. Third place was taken by Trojan.Encoder.35534, with a share of 5.21%.

Over the course of September, new threats were detected on Google Play. Among them were adware trojans, malware that subscribed users to paid services, and trojan apps that attackers use for fraud. Moreover, Doctor Web has published analytical materials covering the Android.Pandora.2 and Android.Spy.Lydia malicious programs. The former is a backdoor that infects Smart TVs and TV boxes based on the Android TV operating system and performs DDoS attacks at the command of threat actors. The latter is a spyware trojan targeting Iranian users.

Principal trends in September

  • A decrease in the total number of detected threats
  • A decrease in the number of user requests to decrypt files affected by encoder trojans
  • The emergence of new malware on Google Play

According to Doctor Web’s statistics service

According to Doctor Web’s statistics service

The most common threats in September:

Adware that often serves as an intermediary installer of pirated software.
An alternative app store and an add-on for Windows GUI (graphical user interface) from the creators of “OpenCandy” adware.
The detection name for a freeware browser that was created with an Electron framework and has a built-in adware component. This browser is distributed via various websites and loaded onto users’ computers when they try downloading torrent files.
The detection name for a malicious component of the WinSafe browser extension. This component is a JavaScript file that displays intrusive ads in browsers.

Statistics for malware discovered in email traffic

Statistics for malware discovered in email traffic

A family of malicious JavaScripts that inject a malicious script into the HTML code of webpages.
Microsoft Word phishing documents that target users who want to become investors. They contain links to fraudulent websites.
A family of downloader trojans that exploit vulnerabilities in Microsoft Office documents. They can also download other malicious programs to a compromised computer.

Encryption ransomware

In September, the number of requests to decrypt files affected by encoder trojans decreased by 19.64%, compared to August.

Encryption ransomware

The most common encoders of September:

Dangerous websites

In September, Doctor Web’s Internet analysts noted the high activity of cyber fraudsters. For example, cases were detected of spam emails being distributed that were allegedly sent by tax authorities. Such emails contained a link to a website where visitors were offered the opportunity to verify whether organizations and companies were complying with the requirements of the Russian Federation’s law on personal data. For this, users had to take a short survey and then provide personal data “to receive the results and get a free expert consultation”.

Опасные сайты

The screenshot above shows how one such website asks visitors to “fill out the form in 1 minute and receive a report with an expert’s recommendations on personal-data protection – for free”.

After answering the preliminary survey questions, the user is asked to provide a phone number and an email:

Опасные сайты

Our specialists also observed cases of malicious actors distributing web links to phishing sites via the Telegraph blog platform. The attackers publish posts on this platform, composing them in such a way that they look like confirmation forms for registering new accounts in various online services. When potential victims click on the element containing the text “CONFIRM”, they are redirected to phishing sites. Among them are fraudulent investment-themed sites.

Опасные сайты

In addition, our specialists detected more fake sites where users allegedly could pay for public utilities. Cybercriminals use these to collect their victims’ personal data. The screenshot below depicts an example of one such site. It imitates the appearance of the web portal of one electricity supply organization. Visitors allegedly can use it to log into their account to pay their bills.

Опасные сайты

Malicious and unwanted programs for mobile devices

In September 2023, Doctor Web published research on the Android.Pandora.2 backdoor, which infects Smart TVs and TV boxes running the Android TV operating system. Cybercriminals use this malware to create a botnet of infected devices and perform DDoS attacks.

Moreover, our malware analysts informed users about the Android.Spy.Lydia trojan apps, which implement spyware functionality and target Iranian users.

According to detection statistics collected by Dr.Web for Android, in September, Android device owners encountered Android malware less often. At the same time, the number of adware detections increased. Over the course of last month, new threats were uncovered on Google Play. Among them were adware trojans from the Android.HiddenAds family, Android.Joker trojans, which subscribe users to paid services, and Android.FakeApp malicious apps used by fraudsters.

The following September events involving mobile malware are the most noteworthy:

To find out more about the security-threat landscape for mobile devices in September, read our special overview.