Full Report
March 29, 2024 An analysis of Dr.Web anti-virus detection statistics for January 2024 revealed a 95.66% increase in the total number of threats detected, compared to December 2023. At the same time, the number of unique threats increased by 2.15%. Unwanted adware software and adware trojans were most frequently detected as were malicious programs distributed with other threats to make the latter more difficult to detect. In mail traffic, malicious scripts and phishing documents were most commonly observed. The number of user requests to decrypt files affected by encoder trojans increased by 22.84%, compared to the last month of 2023. Victims of these malicious programs again most frequently encountered Trojan.Encoder.26996, Trojan.Encoder.3953, and Trojan.Encoder.37369. Their share of the total number of incidents recorded was 17.98%, 12.72%, and 3.51%, respectively. In January 2024, Doctor Web’s specialists discovered a new family of unwanted adware for the Android operating system. Dubbed Adware.StrawAd, it was integrated into several programs distributed via Google Play. Our malware analysts uncovered many new Android.FakeApp trojan apps on Google Play as well; cybercriminals use these apps for fraudulent purposes. Principal trends in January An increase in the total number of threats detected An increase in the number of user requests to decrypt files affected by encoder trojans The emergence of new threats on Google Play According to Doctor Web’s statistics service The most common threats in January: Adware.Downware.20091 Adware that often serves as an intermediary installer of pirated software. Trojan.BPlug.3814 The detection name for a malicious component of the WinSafe browser extension. This component is a JavaScript file that displays intrusive ads in browsers. Adware.Siggen.33194 The detection name for a freeware browser that was created with an Electron framework and has a built-in adware component. This browser is distributed via various websites and loaded onto users’ computers when they try downloading torrent files. Trojan.AutoIt.1224 The detection name for a packed version of the Trojan.AutoIt.289 malicious app, written in the AutoIt scripting language. This trojan is distributed as part of a group of several malicious applications, including a miner, a backdoor, and a self-propagating module. Trojan.AutoIt.289 performs various malicious actions that make it difficult for the main payload to be detected. Adware.SweetLabs.5 An alternative app store and an add-on for Windows GUI (graphical user interface) from the creators of “OpenCandy” adware. Statistics for malware discovered in email traffic JS.Inject A family of malicious JavaScripts that inject a malicious script into the HTML code of webpages. Exploit.CVE-2018-0798.4 An exploit designed to take advantage of Microsoft Office software vulnerabilities and allow an attacker to run arbitrary code. Trojan.Inject4.30867 A trojan designed to inject malicious code into the processes of other programs. Trojan.Siggen24.7712 The detection name for malicious programs of various functionality. LNK.Starter.56 The detection name for a shortcut that is crafted in a specific way. This shortcut is distributed through removable media, like USB flash drives. To mislead users and conceal its operation, its default icon is a disk. When launched, it executes malicious VBS scripts from a hidden directory located on the same drive as the shortcut itself. Encryption ransomware In January 2024, the number of requests made to decrypt files affected by encoder trojans increased by 22.84%, compared to December 2023. The most common encoders of January: Trojan.Encoder.26996 — 17.98% Trojan.Encoder.3953 — 12.72% Trojan.Encoder.37369 — 3.51% Trojan.Encoder.35534 — 3.51% Trojan.Encoder.30356 — 2.63% Dangerous websites Over the course of the first month of 2024, Doctor Web’s malware analysts discovered more fraudulent finance-themed websites. These attracted potential victims by offering them the opportunity to become investors or to make money using certain supposedly profitable platforms. Malicious actors pass off such sites as official Internet resources of famous companies, like banks and oil and gas sector firms, to name a few. For this, fraudsters copy or use similar logos, names, and color schemes. On such sites, visitors are asked to answer several questions and then to provide their personal data (first and last name, mobile phone number, email address, etc.) to “access” the service. All this confidential information may end up in third-party hands and could subsequently be used for illegal purposes. The screenshot below depicts an example of one such fraudulent website. It informs the visitor that every Russian citizen can allegedly make 150,000 rubles per month. To start “earning money”, the user must provide their contact details. Next, to “access” the investing platform, supposedly created in honor of the 100th anniversary of the USSR, the user is asked to take a survey and provide their personal data again: At the end, the website tells the victim to wait for a call from “one of its employees”: Find out more about Dr.Web non-recommended sites Malicious and unwanted programs for mobile devices According to detection statistics collected by Dr.Web for Android, in January, users were most likely to encounter Android.HiddenAds adware trojans, whose activity increased by 54.45%. The number of banking trojan attacks of various families and Android.Spy spyware trojan attacks also increased―by 17.04% and 11.16%, respectively. Meanwhile, the activity of Android.Locker ransomware trojans, on the contrary, decreased―by 0.92%. Among the threats discovered on Google Play by Doctor Web’s malware analysts were more trojan apps from the Android.FakeApp family. In addition, our specialists detected programs containing the built-in unwanted adware module Adware.StrawAd, which belongs to a new family. The following January events involving mobile malware are the most noteworthy: An increase in the activity of Android.HiddenAds adware trojans, An increase in the number of banking trojan and spyware trojan attacks, A decrease in the number of ransomware malware attacks, The emergence of new malware and adware on Google Play. To find out more about the security-threat landscape for mobile devices in January, read our special overview. The Anti-virus Times Infinite horizons read
Analysis Summary
# Incident Report: Dr.Web Global Threat Landscape Analysis - January 2024
## Executive Summary
Doctor Web observed a significant surge in overall threat detection during January 2024, marking a 95.66% increase compared to December 2023, albeit with only a 2.15% rise in unique threats. The primary threats focused on adware, alongside a notable increase in ransomware victim requests (up 22.84%). Attack vectors spanned email, user downloads (especially torrents), and compromised mobile application stores.
## Incident Details
- **Discovery Date:** Report published March 29, 2024 (covering January 2024 detections)
- **Incident Date:** January 1, 2024 – January 31, 2024
- **Affected Organization:** Global user base monitored by Dr.Web telemetry.
- **Sector:** Cross-Industry (Consumer, Enterprise, Mobile).
- **Geography:** Global detections, with phishing campaigns noted targeting individuals potentially in Russia (based on currency mentioned in phishing).
## Timeline of Events
The timeline reflects aggregated monthly trends rather than discrete events:
### Initial Access
- **Date/Time:** Throughout January 2024
- **Vector:** Email, compromised websites (torrents), Google Play Store distribution.
- **Details:**
* Email traffic primarily delivered malicious scripts (`JS.Inject`), phishing documents, and exploits targeting Microsoft Office (`Exploit.CVE-2018-0798.4`).
* Users downloading torrent files were frequently infected with adware bundles installed via browsers like `Adware.Siggen.33194`.
* Android users inadvertently installed threats from Google Play, leading to the discovery of new adware families (`Adware.StrawAd`) and fraudulent apps (`Android.FakeApp`).
### Lateral Movement
- **Date/Time:** Ongoing, leveraged by certain malware families.
- **Vector:** Bundling with other malicious applications.
- **Details:** `Trojan.AutoIt.1224`, a packed version of `Trojan.AutoIt.289`, was distributed in a group that included a miner, a backdoor, and a self-propagating module, designed to obscure the main payload.
### Data Exfiltration/Impact
- **Date/Time:** Throughout January 2024
- **Vector:** Ransomware activity, fraudulent financial schemes.
- **Details:**
* **Ransomware:** 22.84% increase in requests for decryption assistance, with `Trojan.Encoder.26996` being the most active (17.98% of encoder incidents).
* **Fraud:** Discovery of several fraudulent finance websites designed to harvest personal data (name, phone, email) under the guise of investment opportunities offering high returns.
### Detection & Response
- **Date/Time:** Detections continuously logged throughout January 2024.
- **Vector:** Dr.Web anti-virus statistics analysis.
- **Details:** Dr.Web analysts identified and cataloged new threats (`Adware.StrawAd` for Android) and tracked the dominance of existing threats (e.g., `Adware.Downware.20091`).
## Attack Methodology
This analysis focuses on observed threat *types* rather than a single intrusion chain:
- **Initial Access:**
* **Email:** Phishing documents, malicious JavaScript (`JS.Inject`).
* **Web/Download:** Bundled adware distributed during torrent downloads (`Adware.Siggen.33194`).
* **Mobile:** Installation of malicious/adware apps from Google Play.
- **Persistence:** Not explicitly detailed, but adware components often establish persistence (e.g., browser extensions like `Trojan.BPlug.3814`).
- **Privilege Escalation:** Exploitation of vulnerabilities like `Exploit.CVE-2018-0798.4` (Microsoft Office).
- **Defense Evasion:** Packers used in threats like `Trojan.AutoIt.1224` were employed to make detection of the main payload difficult.
- **Credential Access:** Not explicitly detailed, but banking Trojans and Spyware activity increased on Android.
- **Discovery:** Not detailed, but backdoor components associated with `Trojan.AutoIt.289` suggest internal reconnaissance.
- **Lateral Movement:** Self-propagating modules observed in `Trojan.AutoIt.289` groups.
- **Collection:** Data harvesting via fraudulent phishing websites (personal contact/financial details).
- **Exfiltration:** Not explicitly detailed for desktop threats, but mobile banking Trojans and spyware were on the rise.
- **Impact:** System monetization via adware, loss of access to files via ransomware, and identity/financial data theft via phishing.
## Impact Assessment
- **Financial:** Increased financial risk due to successful ransomware encryption and data harvested from fraudulent investment sites.
- **Data Breach:** Loss of Personal Identifiable Information (PII) and contact details gathered from fraudulent websites.
- **Operational:** Low-level operational impact inferred from increased ad injection (`Trojan.BPlug.3814`) and system degradation due to miners/backdoors embedded in malware trojans.
- **Reputational:** Minimal immediate reputational impact noted, as this is a threat statistics summary, not a specific organizational breach report.
## Indicators of Compromise
(Note: IoCs are derived from malware names and are defanged)
- **File Indicators (Most Common):**
* Trojan.Encoder.26996 (17.98% of encoder incidents)
* Trojan.Encoder.3953 (12.72% of encoder incidents)
* Adware.Downware.20091
* Trojan.BPlug.3814
* Android.HiddenAds (54.45% activity increase on Android)
- **Behavioral Indicators:**
* Injection of malicious scripts into webpage HTML (`JS.Inject`).
* Execution of malicious VBS scripts via specially crafted LNK files distributed via removable media (`LNK.Starter.56`).
* Display of intrusive advertisements by browser components.
* Increased banking and spyware activity on Android devices.
## Response Actions
The response actions listed are those taken by the security vendor (Doctor Web) during the reporting period:
- **Containment:** N/A (Statistics provided, not active breach response).
- **Eradication:** N/A.
- **Recovery:** Increased user requests for file decryption indicate that victims relied on the vendor’s tools/support for recovery from ransomware.
- **Threat Discovery:** Discovery of the new Android adware family `Adware.StrawAd` and numerous `Android.FakeApp` trojans on Google Play.
## Lessons Learned
1. **Adware Dominance:** Adware remains the most prevalent threat category (both general and mobile), often acting as an initial foothold or installer for secondary, more malicious payloads.
2. **Ransomware Persistence:** Despite increased threat volume, reliance on established ransomware strains (Trojan.Encoder.26996) suggests these remain highly effective against end-users.
3. **Mobile Platform Risk:** Google Play remains a consistent source of immediate mobile threats, including both overt adware and sophisticated banking/spyware applications.
4. **Social Engineering Efficacy:** Sophisticated phishing sites, mimicking financial institutions and offering unrealistic earnings, successfully elicited PII from users.
## Recommendations
1. **Enhance Endpoint Protection:** Ensure anti-adware modules are highly prioritized, as adware often serves as the gateway for deeper compromise.
2. **Security Patch Management:** Continue rigorous patching for widely used applications, specifically targeting known exploits like those affecting Microsoft Office (`CVE-2018-0798`).
3. **User Education on Downloads:** Increase user awareness regarding the risks associated with downloading content from torrent sites, as this was a vector for adware/utility bundles.
4. **Mobile Application Vetting:** Users should be highly skeptical of finance/investment apps, particularly those discovered on app stores that prompt for extensive personal data following a short survey.