Full Report
July 1, 2024 According to the detection statistics collected by the Dr.Web anti-virus, in the second quarter of 2024, the most common threats were unwanted adware programs and adware trojans, and also malware that is distributed as part of other trojans and used to make the latter more difficult to detect. In email traffic, malicious scripts and all sorts of phishing documents were most often detected. Users whose files were affected by encoder trojans most commonly encountered Trojan.Encoder.3953, Trojan.Encoder.35534, and Trojan.Encoder.26996. Regarding Android mobile devices, the most commonly detected threats were Android.HiddenAds adware trojans, Android.FakeApp malicious programs, and Android.Spy spyware trojans. At the same time, our virus analysts discovered more threats on Google Play. Principal trends in Q2 2024 Adware trojans and unwanted adware programs were highly active Malicious scripts and all sorts of phishing documents predominated in malicious email traffic Android.HiddenAds adware trojans again were the most commonly detected threats for Android devices According to Doctor Web’s statistics service The most common threats in Q2 2024: Adware.Downware.20091 Adware.Downware.20477 Adware that often serves as an intermediary installer of pirated software. Trojan.StartPage1.62722 A malicious program that can modify the home page in the browser settings. Trojan.AutoIt.1224 The detection name for a packed version of the Trojan.AutoIt.289 malicious app, written in the AutoIt scripting language. This trojan is distributed as part of a group of several malicious applications, including a miner, a backdoor, and a self-propagating module. Trojan.AutoIt.289 performs various malicious actions that make it difficult for the main payload to be detected. JS.Siggen5.44590 Malicious code added to the es5-ext-main public JavaScript library. It shows a specific message if the package is installed on a server with a time zone of Russian cities. Statistics for malware discovered in email traffic JS.Siggen5.44590 Malicious code added to the es5-ext-main public JavaScript library. It shows a specific message if the package is installed on a server with a time zone of Russian cities. JS.Inject A family of malicious JavaScripts that inject a malicious script into the HTML code of webpages. PDF.Phisher.707 PDF.Phisher.693 PDF documents used in phishing newsletters. Encryption ransomware The dynamics of the requests we received to decrypt files affected by encoder trojans: The most common encoders of Q2 2024: Trojan.Encoder.3953 — 18.43% Trojan.Encoder.35534 — 9.22% Trojan.Encoder.26996 — 8.75% Trojan.Encoder.35067 — 2.07% Trojan.Encoder.37369 — 1.61% Dangerous websites In Q2 2024, Doctor Web’s specialists detected a mass-mailing fraud campaign targeting users from Japan. Fraudsters pretending to act on behalf of one of the banks informed potential victims about a certain purchase they’d made and offered them the chance to see the details of this “payment” by clicking on the provided link. But, in reality, this link led to a phishing Internet resource. Among the fraudulent websites found in Q2 2024, our Internet analysts also noticed phishing resources that imitated the appearance of genuine e-wallet sites, such as Payeer. With their help, threat actors tried to steal users’ authentication data. Moreover, cybercriminals are not abandoning their attempts to gain access to people’s accounts from various messengers. For this, they utilize fake login forms. Below is an example of one such phishing site where potential victims are asked to log in to Telegram via a QR code or a phone number. If a potential victim agrees, their login data will end up in the attackers’ hands. At the same time, our specialists continue to detect fraudulent sites that target Russian-speaking users. Among these, sites that offer potential victims supposedly free lottery tickets are still common. On such sites, potential victims are told that they can get a lottery ticket as a “gift” that ultimately ends up being a “winner”. To “receive” the prize, victims must provide their bank card details or pay some commission or custom to have the non-existent prize “transferred” to their bank account. An example of one such scam website is shown below. First, it simulates “free” lottery ticket registration and then allegedly shows an online broadcast of the draw: The user “wins” 314.906 rubles, but to “receive” their winnings, they must provide bank card details and pay a “fee” of 501 rubles to have the money “transferred”: Copycat websites of online stores are still another popular scheme among scammers. These include fake sites of electronics and home appliances stores. Cybercriminals lure potential victims with “discounts”, “coupons”, and all sorts of “promotions”, offering them popular goods for sale at lower prices. When placing an “order” on such sites, users are usually asked to pay via an online bank or a bank card. However, our specialists noticed that fraudsters have also begun including the Faster Payments System (“Система быстрых платежей”, “СБП”, or “SBP”) as an alternative payment method. The screenshots below show an example of one such fake website that imitates an electronics retailer’s real web resource: The potential victim places an order for a “product” that is supposedly being offered at a discount: The Faster Payments System is offered to the user as one of the payment methods for this “order”: Find out more about Dr.Web non-recommended sites Malicious and unwanted programs for mobile devices According to detection statistics collected by Dr.Web for Android, in Q2 2024, Android.HiddenAds adware trojans were most commonly detected on protected devices. They were followed by Android.FakeApp malicious applications. The third most common programs were spyware trojans from the Android.Spy family. At the same time, all sorts of threats were again found on Google Play. Among them were more Android.FakeApp trojans, an unwanted Program.FakeMoney.11 app, and also the Android.Harly.87 trojan, which subscribed users to paid services. The following Q2 2024 events involving mobile malware are the most noteworthy: Android.HiddenAds adware trojans remained the most active threat, More threats were detected on Google Play. To find out more about the security-threat landscape for mobile devices in Q2 2024, read our special overview.
Analysis Summary
# Incident Report: Q2 2024 Malware Activity Review
## Executive Summary
This report summarizes the key findings regarding malware activity detected by Dr.Web antivirus solutions throughout the second quarter of 2024 (April 1 to June 30, 2024). The primary observable trends included a high volume of adware, prevalence of phishing campaigns via email, significant ransomware activity (specifically involving *Trojan.Encoder* variants), and sustained threats targeting Android mobile users, including discovery of malicious apps on Google Play.
## Incident Details
- **Discovery Date:** Data collection concluded June 30, 2024 (Report published July 1, 2024).
- **Incident Period:** Q2 2024 (April 1, 2024 – June 30, 2024).
- **Affected Organization:** General user base protected by Dr.Web solutions (Global).
- **Sector:** Cross-sector (Consumer, Corporate, Mobile).
- **Geography:** Global, with specific mention of campaigns targeting users in Japan and Russian-speaking regions.
## Timeline of Events
This review summarizes activity spanning the entire quarter, rather than specific point incidents.
### Initial Access
- **Date/Time:** Ongoing throughout Q2 2024.
- **Vector:** Email, Infected JavaScript libraries, and third-party software installers.
- **Details:**
- **Email:** Malicious scripts (e.g., JS.Inject family) and general phishing documents (PDF.Phisher.707/693) dominated email traffic.
- **Web/Software:** Adware (*Adware.Downware.20091/20477*) often acted as an intermediary installer for pirated software.
- **Supply Chain:** Malicious code (*JS.Siggen5.44590*) was found injected into the public `es5-ext-main` JavaScript library.
### Lateral Movement
- **Date/Time:** Ongoing in complex infections.
- **Details:** **Trojan.AutoIt.1224** (a packed version of Trojan.AutoIt.289) was distributed as part of a multi-component package including a miner, a backdoor, and a self-propagating module designed to evade detection of the primary payload.
### Data Exfiltration/Impact
- **Date/Time:** Ongoing throughout Q2 2024.
- **Impact:**
- **Ransomware:** Significant file encryption activity, with *Trojan.Encoder.3953* being the most prominent variant (18.43% of requests).
- **Phishing/Theft:** Attackers actively stole credentials via fake websites imitating e-wallets (Payeer), online stores, and messenger login portals (Telegram QR code/number logins).
- **Financial Fraud:** Scams targeting Russian users offered fake lottery "winnings," requiring victims to pay a transfer fee (e.g., 501 rubles) or supply bank card details.
- **Mobile Compromise:** *Android.Harly.87* was found subscribing users to paid services.
### Detection & Response
- **Detection:** Statistics collected via Dr.Web anti-virus detection engine.
- **Response Actions:** Dr.Web analysts identified and cataloged trends. Specific fraud campaigns were observed and documented, including evolving methods like the adoption of the Faster Payments System (SBP) in fake e-commerce checkouts.
## Attack Methodology
This summary focuses on the observed threat categories and techniques:
- **Initial Access:** Email phishing (PDFs, scripts), compromised NPM packages (JS.Siggen5.44590), and drive-by download via adware installers.
- **Persistence:** Not explicitly detailed, but complex malware like Trojan.AutoIt.289 likely employed various methods including self-propagation capabilities.
- **Privilege Escalation:** Not detailed.
- **Defense Evasion:** Encoded/packed payloads (**Trojan.AutoIt.1224**) were used to obscure the main malicious application.
- **Credential Access:** Targeted phishing portals for e-wallets, banking systems, and Telegram accounts.
- **Discovery:** Not detailed.
- **Lateral Movement:** Enabled by multi-component malware (e.g., backdoor in Trojan.AutoIt.289 package).
- **Collection:** Focusing on stealing authentication data (credentials) and potentially capturing user data via spyware (*Android.Spy*).
- **Exfiltration:** Not detailed, but implied via credential theft resulting from phishing.
- **Impact:** File encryption (Ransomware), forced subscriptions (Android.Harly.87), financial theft (lottery scams), and delivery of general unwanted software (Adware).
## Impact Assessment
- **Financial:** Direct financial loss to victims through ransomware payments, fraud from lottery scams, and unauthorized subscription billing.
- **Data Breach:** Theft of user credentials for financial services and messengers. No volume specified.
- **Operational:** Unspecified, but high activity of adware impacts user performance.
- **Reputational:** Damage to brands impersonated in phishing campaigns (banks, e-commerce sites, messaging apps).
## Indicators of Compromise
- **File Indicators (Examples of common malware):**
- **Ransomware:** Trojan.Encoder.3953, Trojan.Encoder.35534, Trojan.Encoder.26996.
- **Adware/Unwanted:** Adware.Downware.20091, Program.FakeMoney.11.
- **Backdoor/Utility:** Trojan.StartPage1.62722, Trojan.AutoIt.1224/289.
- **Mobile:** Android.HiddenAds, Android.FakeApp, Android.Spy, Android.Harly.87.
- **Behavioral Indicators:** Injection of malicious code into public JavaScript libraries (JS.Siggen5.44590), JavaScript injection into web pages (JS.Inject family), and modification of browser settings (Trojan.StartPage1.62722).
## Response Actions
(As this is a threat landscape review, response actions are those taken by security researchers, not internal corporate incident response.)
- **Containment:** Not applicable enterprise-wide; containment is dependent on users updating AV signatures.
- **Eradication:** Updates to Dr.Web signature files to detect identified variants.
- **Recovery:** Publicizing findings and user education regarding phishing schemes.
## Lessons Learned
- **Adware's Role:** Adware remains a persistent entry point, often serving as a downloader/installer for more serious threats or pirated software.
- **Multi-Vector Attacks:** Malware distribution remains diversified, utilizing email, software delivery chains, and direct code injection into public libraries.
- **Evolving Phishing:** Threat actors are rapidly adopting new payment methods (like SBP) to modernize traditional e-commerce fraud schemes.
- **Mobile Platform Risks:** Google Play remains a vector for distributing adware, fake applications, and unwanted spyware.
## Recommendations
- **Patch Management:** Ensure all public-facing libraries or dependencies use current, non-compromised versions (relevant to JS.Siggen5.44590 discovery).
- **Email Defense:** Implement robust filtering for malicious scripts and document types commonly used in phishing campaigns (JS, PDF).
- **User Awareness:** Intensify user training on identifying sophisticated phishing sites, especially those attempting to harvest credentials via QR codes or offering unrealistic financial gains (lottery scams).
- **Mobile Device Security:** Maintain up-to-date mobile security solutions, as malicious apps continue to infiltrate official app stores.