Doctor Web’s April 2019 virus activity review
[% DEFAULT FILE_REVIEW = ''; NAME_SOME_ARRAY_IN_MACROSNAME = [ { box => "Overview" }, { box => "Threat of the month" }, { box => "Statistics" }, { box => "Encryption ransomware" }, { box => "Dangerous websites" }, { box => "Mobile devices" } ] %] [% BLOCK global.tpl_blueprint.content %]
May 6, 2019
In April, Dr.Web’s statistics showed a 39.44% decrease in the number of unique threats compared to March; while the number of all detected threats decreased by 14.96%. E-mail traffic is still dominated by malware that uses the vulnerabilities of Microsoft Office programs. The previous month’s malware and unwanted programs trend also continues. The malicious browser extensions, unwanted programs and adware account for the majority of detected threats.
The number of non-recommended websites increased by 28.04%. One such website was used for spreading a banking trojan and stealer, along with the video and sound editing software, which we reported at the beginning of the month. Additionally, Doctor Web’s researchers warned about the phishing newsletter sent from official e-mails of large international companies.
Principal trends in April
- A decline in malware spreading activity
- An increase in the number of domain names added to the Dr.Web database of non-recommended websites
Threat of the month
Doctor Web researchers warned users about a compromised, popular website, which distributes video and sound editing software. Hackers hijacked download links on the website causing visitors to download the dangerous banking trojan, Win32.Bolik.2, and the Trojan.PWS.Stealer (KPOT) stealer, along with the editing software. Trojans of this family are designed to perform web injections, intercept traffic, log keys and steal information from different bank-client systems. Additionally, the attackers later changed the Win32.Bolik.2 trojan to another malware, the Trojan.PWS.Stealer (KPOT Stealer). This trojan steals information from browsers, Microsoft accounts, several messengers and some other programs.
According to Doctor Web’s statistics servers
Threats of the month:
- Adware.Softobase.12
- Installation adware that spreads outdated software and changes the browser’s settings.
- Adware.Ubar.13
- A torrent client designed to install unwanted programs on a user’s device.
- Trojan.Starter.7394
- Trojan designed for launching other malicious software on a victim’s device.
Adware.Downware.19283 - The sort of adware that is usually distributed as an installer for pirated software. Upon installation, it changes a browser’s settings and may install other software without asking for the user’s permission.
Statistics for malware discovered in email traffic
- Exploit.ShellCode.69
- A modified Microsoft Office document. It exploits the CVE-2017-11882 vulnerability in order to run malicious code.
- Exploit.Rtf.CVE2012-0158
- Another malicious Microsoft Office Word document. This one uses a vulnerability called CVE2012-0158.
- JS.DownLoader.1225
- A variety of malicious code written in JavaScript and designed to download and install other malware on a computer.
- Trojan.Encoder.26375
- A malicious program from the encryption ransomware family. This trojan encrypts files and demands a ransom for data decryption.
- W97M.DownLoader.2938
- A family of downloader Trojans that exploit vulnerabilities in office applications. Designed to download other malware onto a compromised computer.
Encryption ransomware
In April, Doctor Web’s technical support was most frequently contacted by victims of the following encryption ransomware:
Trojan.Encoder.858 — 17.95%Trojan.Encoder.18000 — 14.65%Trojan.Encoder.11464 — 7.69%Trojan.Archivelock — 5.49%Trojan.Encoder.567 — 3.85%Trojan.Encoder.11539 — 3.85%Trojan.Encoder.25574 — 2.75%
Dr.Web Security Space for Windows protects against encryption ransomware
Dangerous websites
During April 2019, Doctor Web added 345,999 URLs to the Dr.Web database of non-recommended websites.
March 2019 | April 2019 | Dynamics |
---|---|---|
+ 270 227 | + 345 999 | + 28.04% |
Malicious and unwanted programs for mobile devices
In April, Doctor Web reported the dangerous trojan,
Also during April, new malware such as trojan downloaders and clickers were discovered in the Google Play catalogue, as well as new credential stealers for Instagram, called Android.PWS.Instagram.4 and Android.PWS.Instagram.5.
Additionally, new banking trojans threatened Android smartphone and tablet users. Among them were new versions of the
Among the most noticeable April events related to mobile malware were:
- the spread of malicious programs on Google Play;
- the distribution of banking trojans.