Full Report
April 1, 2024 An analysis of Dr.Web anti-virus detection statistics for February 2024 revealed a 1.26% increase in the total number of threats detected, compared to January. At the same time, the number of unique threats decreased by 0.78%. Once again various ad-displaying trojans and unwanted adware programs occupied the leading positions in terms of the number of detections. Moreover, malicious apps that are distributed with other threats to make them more difficult to detect remained highly active. In email traffic, malicious scripts, phishing documents, and programs that exploit vulnerabilities in Microsoft Office software were most commonly detected. The number of user requests to decrypt files affected by encoder trojans decreased by 7.02%, compared to the previous month. The most common malware behind the ransom attacks were Trojan.Encoder.3953 (18.27% of incidents), Trojan.Encoder.37369 (9.14% of incidents), and Trojan.Encoder.26996 (8.12% of incidents). In the mobile threats department, Android.HiddenAds adware trojans were again the most commonly detected malware, with highly increased activity. Principal trends in February An increase in the total number of threats detected The predominance of malicious scripts and phishing documents in malicious email traffic A decrease in the number of user requests to decrypt files affected by encoder trojans An increase in the number of Android.HiddenAds adware trojans on protected devices According to Doctor Web’s statistics service The most common threats in February: Adware.Downware.20091 Adware that often serves as an intermediary installer of pirated software. Trojan.BPlug.3814 The detection name for a malicious component of the WinSafe browser extension. This component is a JavaScript file that displays intrusive ads in browsers. Trojan.StartPage1.62722 A malicious program that can modify the home page in the browser settings. Adware.Siggen.33194 The detection name for a freeware browser that was created with an Electron framework and has a built-in adware component. This browser is distributed via various websites and loaded onto users’ computers when they try downloading torrent files. Trojan.AutoIt.1224 The detection name for a packed version of the Trojan.AutoIt.289 malicious app, written in the AutoIt scripting language. This trojan is distributed as part of a group of several malicious applications, including a miner, a backdoor, and a self-propagating module. Trojan.AutoIt.289 performs various malicious actions that make it difficult for the main payload to be detected. Statistics for malware discovered in email traffic JS.Inject A family of malicious JavaScripts that inject a malicious script into the HTML code of webpages. HTML.FishForm.365 A webpage spread via phishing emails. It is a bogus authorization page that mimics well-known websites. The credentials a user enters on the page are sent to the attacker. Trojan.PackedNET.2511 Malware written in VB.NET and protected with a software packer. Exploit.CVE-2018-0798.4 An exploit designed to take advantage of Microsoft Office software vulnerabilities and allow an attacker to run arbitrary code. W97M.DownLoader.2938 A family of downloader trojans that exploit vulnerabilities in Microsoft Office documents. They can also download other malicious programs to a compromised computer. Encryption ransomware In February 2024, the number of requests made to decrypt files affected by encoder trojans decreased by 7.02%, compared to January. The most common encoders of February: Trojan.Encoder.3953 — 18.27% Trojan.Encoder.35534 — 9.14% Trojan.Encoder.26996 — 8.12% Trojan.Encoder.29750 — 0.51% Trojan.Encoder.37400 — 0.51% Dangerous websites In February 2024, Doctor Web’s Internet analysts continued to identify unwanted websites of various subject matter. For example, sites informing potential victims that some money transfers were allegedly waiting for them were popular with cybercriminals. To “receive” these funds, users must pay a bank transfer “commission”. Links to such websites are distributed in various ways, including via posts on the Telegraph blog platform. Below is an example of one such publication. Potential victims are asked to “collect” the reward that they supposedly earned after participating in an online store survey: Upon clicking on the “GET A PAYMENT” (“ОФОРМИТЬ ВЫПЛАТУ”) link, the user is redirected to a scam website of some non-existent “International Payment and Transfer System” (“Международная Система Платежей и Переводов”), where they are supposedly able to receive the promised funds: To “receive” the money, the user must first provide personal information, such as their name and email address. Then, they need to pay a “commission” via the legitimate Faster Payments System (“Система быстрых платежей”, “СБП”, or “SBP”) so that the reward, which, in fact, does not exist, can be “transferred” to them. At the same time, scammers ask the victim to pay the “commission” via an online bank, using the specified bank card number; all that while, the Faster Payments System allows transfers only by mobile phone number. In this case, the fraudsters may deliberately be speculating on a money-transfer method that is gaining popularity in Russia, counting on the low financial literacy of users. If the victim agrees to pay the “commission”, they will transfer their own money directly to the scammers’ bank card. However, it is possible that in an attempt to steal users’ money, malicious actors will actually begin using the Faster Payments System in the future. Find out more about Dr.Web non-recommended sites Malicious and unwanted programs for mobile devices According to detection statistics collected by Dr.Web for Android, in February, Android.HiddenAds ad-displaying trojans were most commonly detected once again. Their activity increased by 73.26%, compared to January. At the same time, adware trojans from another family, Android.MobiDash, attacked users 58.85% less often. The number of Android.Spy spyware trojan detections decreased by 27.33%, while banking trojan detections decreased by 18.77%. Meanwhile, Android.Locker ransomware trojans were detected 29.85% less often. The following February events involving mobile malware are the most noteworthy: A significant increase in the activity of Android.HiddenAds ad-displaying trojans, A decrease in the number of banking trojan and spyware trojan attacks, An increase in the number of ransomware trojan attacks. To find out more about the security-threat landscape for mobile devices in February, read our special overview. The Anti-virus Times Infinite horizons read
Analysis Summary
# Incident Report: February 2024 Global Threat Landscape Increase
## Executive Summary
Antivirus detection statistics for February 2024 showed a 1.26% increase in the total volume of detected threats compared to January, despite a 0.78% decrease in unique threats. The primary threats observed across desktop environments were adware, malicious scripts, and Office exploits delivered via email. Mobile devices saw a major surge in adware activity (**Android.HiddenAds**). Ransomware impact saw a favorable decrease in user decryption requests (down 7.02%).
## Incident Details
- Discovery Date: April 1, 2024 (Reporting Date for February Statistics)
- Incident Date: February 1, 2024 – February 29, 2024
- Affected Organization: Global user base monitored by Dr.Web detection statistics.
- Sector: Cross-sectoral detection data.
- Geography: Global (indicated by the nature of threat statistics reporting).
## Timeline of Events
### Initial Access
- **Date/Time:** Throughout February 2024
- **Vector:** Email traffic, software/torrent downloads, and general web browsing/infection vectors.
- **Details:** High prevalence of threats originating from email, including **JS.Inject** scripts, **HTML.FishForm.365** phishing pages designed to steal credentials, and malicious Microsoft Office documents utilizing **Exploit.CVE-2018-0798.4** or **W97M.DownLoader.2938**. Adware was frequently bundled with freeware downloads (e.g., **Adware.Siggen.33194** distributed via torrent sites).
### Lateral Movement
- **Details:** Not explicitly detailed for general threats, but obfuscation was key, as seen with **Trojan.AutoIt.1224**, a packed version of **Trojan.AutoIt.289**, which includes self-propagating modules and backdoors designed to hinder main payload detection.
### Data Exfiltration/Impact
- **Impact:** Adware and unwanted programs dominated general detections. Phishing campaigns (**HTML.FishForm.365**) aimed at credential theft. Ransomware incidents were reported, with **Trojan.Encoder.3953** being the most prevalent encoder (18.27% of incidents). Mobile devices faced severe adware infestation (**Android.HiddenAds**).
- **Scope:** Mobile threat activity for **Android.HiddenAds** increased by 73.26%.
### Detection & Response
- **Detection:** Statistics gathered by Dr.Web’s detection service throughout February 2024.
- **Response Actions:** Not explicitly detailed, but the report serves as intelligence dissemination to inform users and maintain updated signatures to counter the identified threats.
## Attack Methodology
This section summarizes the common techniques identified across the threat landscape:
| Category | Primary Techniques/Malware Examples |
| :--- | :--- |
| **Initial Access** | Malicious email attachments exploiting MS Office vulnerabilities (**Exploit.CVE-2018-0798.4**, **W97M.DownLoader.2938**), phishing for credentials (**HTML.FishForm.365**), bundled adware during freeware/torrent downloads (**Adware.Siggen.33194**). |
| **Persistence** | Malicious components embedded in browser extensions (**Trojan.BPlug.3814**), browser modification utilities (**Trojan.StartPage1.62722**), and complex trojans using evasive modules (**Trojan.AutoIt.289**). |
| **Defense Evasion** | Packing techniques used on malware (**Trojan.PackedNET.2511**, **Trojan.AutoIt.1224**—a packed version of **Trojan.AutoIt.289**). |
| **Lateral Movement** | Backdoor and self-propagating modules associated with **Trojan.AutoIt.289**. |
| **Collection** | N/A (Focus on Adware/Delivery, though banking trojans and spyware saw decreases). |
| **Impact** | Intrusive advertising (**Adware.Downware.20091**, **Android.HiddenAds**), system modification (homepage hijacking), and file encryption. |
## Impact Assessment
- **Financial:** Criminal organizations attempted financial theft via sophisticated phishing scams masquerading as payment transfer commissions (scam sites mimicking legitimate systems like SBP/Faster Payments System). Ransomware activity, while reported, led to a 7.02% decrease in user decryption requests.
- **Data Breach:** High potential for user credential theft via phishing pages (**HTML.FishForm.365**).
- **Operational:** General disruption caused by widespread adware and unwanted behavior, particularly on mobile devices.
- **Reputational:** Minimal direct reputational impact on end-users mentioned, but significant risk associated with fake payment/transfer sites potentially damaging trust in digital financial services.
## Indicators of Compromise
- **File Indicators (Identified Malware Families):** Trojan.Encoder.3953, Android.HiddenAds, Adware.Downware.20091, Trojan.BPlug.3814, Trojan.AutoIt.1224.
- **Behavioral Indicators:** Increased detection of ad-displaying trojans on Android devices (+73.26%). Malicious JavaScript injection into web content (**JS.Inject**). Exploitation of older MS Office vulnerabilities (e.g., **CVE-2018-0798**).
## Response Actions
This report summarizes findings rather than detailing a specific organizational response. The generalized response activities observed include:
- Signature updates to detect new variants of Adware and Encoder families.
- User education regarding phishing techniques, particularly those leveraging payment system misunderstandings.
## Lessons Learned
1. **Adware Dominance Continues:** Adware remains the most frequent type of detection across desktop and mobile platforms, often bundled with legitimate-looking software (via torrents or bundled installers).
2. **Email Remains Primary Corporate Vector:** Malicious scripts, phishing pages, and document exploits continue to target the email gateway as a primary means of initial access.
3. **Ransomware Activity Stabilized:** The slight reduction in decryption requests suggests either minor success in proactive prevention or that primary ransomware groups were less active/visible during the month.
4. **Social Engineering in Financial Scams is Evolving:** Scammers are leveraging knowledge of local, emerging payment systems (SBP/Faster Payments) to create convincing, yet fraudulent, commission requests.
## Recommendations
1. **Strengthen Email Filtering:** Implement advanced sandboxing and behavioral analysis for inbound Office documents to detect zero-day or known exploits (**Exploit.CVE-2018-0798.4**, **W97M.DownLoader.2938**).
2. **End-User Security Training:** Conduct mandatory training focused on recognizing modern phishing pages (**HTML.FishForm.365**) and particularly complex financial lure scams related to transfer commissions.
3. **Application Control/Whitelisting:** Consider controls to restrict the execution of scripts (**JS.Inject**) or bundled applications (**Adware.Downware.20091**) originating from user downloads.
4. **Mobile Device Management (MDM):** Increase vigilance on mobile endpoints regarding the high growth rate of aggressive adware like **Android.HiddenAds**.