RSS
Логотип
Баннер в шапке 1
Баннер в шапке 2
2024/06/10 10:48:08

Trojans

A Trojan (Trojan horse, Trojan program, Trojan) is a type of malware whose main purpose is malicious exposure to a computer system. This category includes programs that carry out various unauthorized actions by the user: collecting information and transferring it to an attacker, destroying or malicious modification of it, disrupting the health of the computer, using computer resources for unseemly purposes.

Content

Main article: Malware (malware)

Features

Certain categories of Trojans damage remote computers and networks without disrupting the health of the infected computer (for example, Trojans developed for distributed DoS attacks on remote network resources). Trojans are distinguished by the lack of a mechanism for creating their own copies.

Some Trojans are capable of autonomously overcoming the protection of a computer system in order to penetrate and infect the system. In general, the Trojan enters the system along with a virus or worm, as a result of imprudent user actions or active actions of an attacker.

Most Trojan programs are designed to collect confidential information. Their task, most often, is to perform actions that allow access to data that is not widely publicized. These data include user passwords, program registration numbers, bank account information, etc. The rest of the Trojans are created to cause direct damage to the computer system, bringing it into an inoperable state.

Types of Trojans

The most common types of Trojans are:

  • Trojan-SPY (Trojan-SPY) - Trojans that are constantly in memory and store all data coming from the keyboard for the purpose of subsequent transfer of this data to an attacker. Usually, in this way, an attacker tries to find out passwords or other confidential information
  • Password thieves (Trojan-PSW) are Trojans that are also designed to obtain passwords, but do not use keyboard tracking. Usually, such Trojans implement ways to extract passwords from files in which these passwords are stored by various applications
  • Remote Management Utilities (Backdoor) - Trojans that provide complete remote control over the user's computer. There are legal utilities of the same property, but they differ in that they report their purpose during installation or are provided with documentation that describes their functions. Trojan remote control utilities, on the contrary, do not give out their real purpose in any way, so the user does not even suspect that his computer is controlled by an attacker. The most popular remote control utility is Back Orifice
  • Anonymous smtp servers and proxies (Trojan-Proxy) - Trojans that perform the functions of mail servers or proxies and are used in the first case for spam mailing, and in the second case for marking traces by hackers
  • browser Trojan-Cliker - Trojans that change the start page in, browser search page, or other settings to organize unauthorized access to Internet resources
  • Other Malware Installers (Trojan-Dropper) - Trojans that enable an attacker to secretly install other programs
  • Trojan Downloader - Trojans designed to download new versions of malware or advertising systems to the victim computer
  • Trojan-Notifier - Trojans of this type are designed to inform their "master" about an infected computer
  • "Bombs" in archives (ARCBomb) - Trojans, which are archives specially designed to cause abnormal behavior of archivers when trying to unzip data - hang or significantly slow down the computer, fill the disk with a large amount of "empty" data
  • Logic bombs are often not so much Trojans as Trojan components of worms and viruses, the essence of which is to perform a certain action under certain conditions (date, time of day, user actions, command from outside): for example, data destruction
  • Dialing utilities are a relatively new type of Trojans, which are dial-up utilities for accessing the Internet through paid mail services. Such Trojans are registered in the system as default dialing utilities and entail large bills for using the Internet

The principle of operation of Trojans

All "Trojan horses" have two parts: client and server. The client manages the server part of the program over TCP/IP. The client can have a graphical interface and contain a set of commands for remote administration.

Server part of the program - installed on the victim's computer and does not contain a graphical interface. The server part is designed to process (execute) commands from the client part and transfer the requested data to the attacker. After getting into the system and seizing control, the server part of the Trojan listens to a certain port, periodically checking the Internet connection and if the connection is active, it waits for commands from the client part. An attacker using a client pings a specific port of an infected node (the victim's computer). If the server part has been installed, then it will respond with confirmation of the ping about its readiness to work, and upon confirmation, the server part will inform the attacker the IP address of the computer and its network name, after which the connection is considered established. As soon as a connection has occurred with the Server, the Client can send commands to it, which the Server will execute on the victim machine. Also, many Trojans connect to the computer of the attacking side, which is installed to receive connections, instead of the attacking side itself trying to connect to the victim.

History

2024

Suddenly the smartphone screen went out? This Medusa Trojan rummages through your bank accounts

In late June 2024, researchers cyber security discovered an updated version of a banking Trojan for Android called Medusa, which was used to attack users in,,, To Canada,, and France Italy. Spain Turkey Great Britain USA More here

In the arsenal of the ExCobalt group active in Russia, an previously unknown backdoor was revealed

Positive Technologies has identified a new backdoor written in Go in the arsenal of the ExCobalt group active in Russia. The company announced this on June 7, 2024.

File:Aquote1.png
In March 2024, during an investigation into the incident, we found a file called scrond, compressed using the UPX (Ultimate Packer for eXecutables) packer, on one of the client's Linux nodes, said Denis Kuvshinov, head of cyber threat research at Positive Technologies security expert center. - Package paths containing the red.team/go-red/substring were found in the unpacked sample data written in Go. This allowed us to assume that the sample is a proprietary GoRed tool. In the process of analyzing GoRed, we found that several versions of the program had already been encountered earlier during the response to incidents from a number of customers.
File:Aquote2.png

Further analysis of the tool allowed the company's specialists to establish its connection with the ExCobalt group, whose attacks were reported in PT ESC in November 2023.

ExCobalt is known attacks to Russian companies in the areas of,, metallurgy telecommunications mining, and. industries IT She public sectors is also involved in cyber espionage and theft. data

The backdoor, named in PT ESC after the originally discovered GoRed sample, has many functions, including remotely executing commands, collecting data from compromised systems, and using various methods to communicate with C2 servers.

Research by Positive Technologies shows that the ExCobalt group continues to actively attack Russian companies, constantly improving its methods and tools, including the GoRed backdoor. Attackers are expanding GoRed's functionality for more complex and stealthy attacks and cyber espionage. ExCobalt members demonstrate flexibility by using modified tools to circumvent protective measures, indicating their deep understanding of vulnerabilities in companies' infrastructure. In general, the development of ExCobalt emphasizes the need to constantly improve methods of protecting and detecting attacks to counter such cyber threats.

The full report can be read on the PT ESC[1] team blog[2].

2023

The number of attacks on users of mobile devices in Russia has grown 1.5 times

According to Kaspersky Lab, in 2023, compared to 2022, the number of cyber attacks on users of Android devices in Russia increased 1.5 times. The company announced this on January 23, 2024. One of the most common types of mobile malware was various Trojans, that is, programs that are often disguised as legitimate. In general, the functionality of the Trojans differs depending on the type of malware to which they belong. For example, they can steal victims' data on devices, issue unwanted subscriptions, and lure money out.

Trojans' infection vectors are very diverse. Often users can encounter them when they install programs from unofficial sources. At the same time, attackers use various decoys to convince the victim to download a malicious program - disguise it as a useful or well-known application. Another vector is the infection of devices at one stage of the supply chain. In this case, a person can purchase a device with malware already preinstalled. It is worth noting that such a threat is also relevant for Russian users.

File:Aquote1.png
Attackers use various decoys to distribute Trojans on unofficial resources. Among the most relevant in 2023 for the Russian-speaking segment are fake installers of updates to various system applications, for example, pre-installed storks. Such applications were most often hidden by banking Trojans, less often - SMS Trojans and unwanted advertizing applications. Among the decoys, fake ones were also used. In applications banks this case, the malicious application opened a phishing page authorizations in the personal account of the financial institution. Malicious was also ON actively distributed as part of mods for. messengers Thus, including the CanesSpy spy Trojan was distributed. He could steal data documents from the infected contact list smartphone and about information accounts on the device, and also started recording from the device's microphone on command, "said Dmitry Kalinin, an expert at cyber security Kaspersky Lab.
File:Aquote2.png

Among other lures, under the guise of which Trojans were distributed, experts also highlight mods for games and fake investment projects, under the second actually hide scam applications.

Kaspersky Lab also presented forecasts for the landscape of mobile threats for the near future and drew attention to potential development vectors, which experts will have to observe especially closely.

File:Aquote1.png
We believe that in the near future the number of advanced attacks on mobile platforms will increase, as attackers are constantly looking for new ways to deliver malware, and the malware itself becomes more difficult. As a result, attackers can look for new ways to monetize their efforts. In addition, it is important to observe and analyze how the landscape of cyber threats will change if it becomes possible to install applications from alternative stores on iOS, bypassing the App Store without jailbreak. The risk for users is the situation with the removal of Russian applications from foreign storks. Attackers can use this situation and distribute malicious applications on unofficial sites under the guise of remote applications, "said Dmitry Galov, head of the Russian research center at Kaspersky Lab.
File:Aquote2.png

To protect against various cyber threats for mobile platforms, Kaspersky Lab experts recommend following the basic security rules:

  • download applications only on official sites: app stores or on the websites of development companies, and regularly update them;
  • before downloading the application, reading reviews about it and looking at ratings;
  • critical of extremely generous or overly frightening messages;
  • do not follow the links from dubious advertising on the Internet, it is especially critical to treat the promises of easy earnings;
  • Use reliable solutions, including on mobile devices.

Infection of Windows computers with a modular Trojan bootloader Trojan.Fruity.1

Doctor Web has identified an attack on Windows users using a modular Trojan Trojan.Fruity.1 bootloader. With its help, attackers are able to infect computers with various types of malicious applications, depending on their goals. A number of techniques are used to hide the attack and increase the chances of its effectiveness. Among them are a multi-stage process of infecting target systems, the use of harmless programs to launch Trojan components, as well as an attempt to bypass antivirus protection. This was reported on July 27, 2023 by Dr.Web. Read more here.

With the help of a Trojan in pirated Windows assemblies, attackers stole $19,000 worth of cryptocurrency.

Dr.Web specialists have identified a Trojan styler program in a number of unofficial OCWindows 10 assemblies that attackers distributed through one of the torrent trackers. As representatives of Dr.Web told TAdviser on June 14, 2023, a malicious application named Trojan.Clipper.231 replaces the addresses of crypto wallets in the clipboard with addresses set by scammers. With the help of this Trojan, attackers have already managed to steal cryptocurrency in the amount equivalent to about $19 thousand.

File:Aquote1.png
According to the calculations of our viral analysts, at the time of publication of this news with the help of a steeler Trojan.Clipper.231 the attackers stole BTC 0.73406362 and ETH 0.07964773, which is approximately equivalent to $18 976.29, or 1,568,233 rubles, the company said in a statement.
File:Aquote2.png

File:Windows-10-3081374613674.jpg
Windows pirated builds found a steeler to steal cryptocurrency
Photo: akket.com

At the end of May 2023, a client with suspected infection computer under the control of OS Windows 10 turned to Dr.Web. The analysis carried out by the company's specialists confirmed the presence of Trojan programs in the system - the Trojan.Clipper.231 styler, as well as malicious applications Trojan.MulDrop22.7578 and Trojan.Inject4.57873 that launched it. Virus the Dr.Web laboratory has localized all these threats and coped with their neutralization.

At the same time, it turned out that the target OS was an unofficial build, and malware was built into it initially. Further research has identified several such infected Windows assemblies:

  • Windows 10 Pro 22H2 19045.2728 + Office 2021 x64 by BoJlIIIebnik RU.iso
  • Windows 10 Pro 22H2 19045.2846 + Office 2021 x64 by BoJlIIIebnik RU.iso
  • Windows 10 Pro 22H2 19045.2846 x64 by BoJlIIIebnik RU.iso
  • Windows 10 Pro 22H2 19045.2913 + Office 2021 x64 by BoJlIIIebnik [RU, EN].iso
  • Windows 10 Pro 22H2 19045.2913 x64 by BoJlIIIebnik [RU, EN].iso

According to Dr.Web, all builds were available for download on one of the torrent trackers. At the same time, the company does not exclude that attackers use other sites to spread infected images of the system.

The malware in these assemblies is located in the system directory:

  • \Windows\Installer\iscsicli.exe (Trojan.MulDrop22.7578)
  • \Windows\Installer\recovery.exe (Trojan.Inject4.57873)
  • \Windows\Installer\kd_08_5e78.dll (Trojan.Clipper.231)

The initialization of the styler takes place in several stages. At the first stage, Trojan.MulDrop22.7578 malware is launched through the system task scheduler:% SystemDrive %\Windows\Installer\iscsicli.exe. Its task is to mount the system EFI partition to the M :\disk, copy two other components to it, then delete the original Trojan files from the C :\disk, run the Trojan.Inject4.57873 and unmount the EFI partition.

In turn, Process Hollowing Trojan.Inject4.57873 is implementing Trojan.Clipper.231 in system process% WINDIR %\\System32\\Lsaiso.exe, after which the styler begins to work in its context, Doctor Web experts explained.

Having received control, the Trojan.Clipper.231 proceeds to track the clipboard and replaces the copied addresses of the crypto wallets with the addresses specified by the attackers. At the same time, he has a lot of restrictions. First, perform it starts spoofing only if the system file% WINDIR %\\INF\\scunown.inf is present. Secondly, the Trojan checks active processes. If it detects the processes of a number of applications dangerous to it, then it does not replace the addresses of crypto wallets.

File:Aquote1.png
The introduction of malware into the EFI partition of computers as an attack vector is still very rare. Therefore, the identified case is of great interest to information security specialists, - noted in "Dr.Web."
File:Aquote2.png

The company recommends that users download only original ISO images of operating systems and only from trusted sources, such as manufacturer sites.

SymStealer vulnerability puts every Google Chrome user at risk

On March 13, 2023, it became known that the Imperva Red team at the end of 2022 discovered in, browser Google Chrome vulnerability which is being monitored under identifier CVE-2022-3656. At the time the vulnerability was active, it affected over 2.5 billion users Chrome and allowed to malefactors the theft of confidential ones, files such as cryptopurses accounts. data cloudy provider

The vulnerability was discovered during a test of how the browser interacts with the file system, in particular, searching for common vulnerabilities related to the way browsers handle symbolic links. Symlink is a file type that points to another file or directory, allowing the operating system to handle the associated file or directory as if it were in a symbolic link location. This can be useful for creating shortcuts, redirecting file paths, or more flexible file organization.

Illustration: securitylab.ru

However, symbolic links can also create vulnerabilities if they are not handled properly. In case of vulnerability, the CVE-2022-3656 browser incorrectly checked whether the symbolic link indicates a place to which access is not supposed, which allowed the theft of confidential files.

An attacker can create a fake website that offers, for example, a crypto wallet service. And in the process of creating a wallet, ask to download the so-called "recovery keys" to the computer. These keys will actually be a zip file containing a symbolic link to a confidential file or folder on the user's computer, such as the credentials of a cloud provider. When the user unzips and downloads the recovery keys back to the website, the symbolic link will be processed and the attacker will gain access to the required confidential file. The user may not even realize that something is wrong, since the website may look quite legal, and the process of downloading and uploading recovery keys is normal practice for cryptocurrency wallets.

Google has completely eliminated the vulnerability of symbolic links in Chrome version 108. To protect your crypto assets, it is important to keep the software up to date, avoid downloading questionable files or clicking on links from unreliable sources[3].

Updated Pakistani Trojan ReverseRAT targets Indian government agencies

Information security company ThreatMon has discovered a targeted phishing campaign targeting Indian government agencies that is leading to the deployment of an updated version of the ReverseRAT RAT Trojan. ThreatMon experts attributed this activity to the SideCopy group. This became known on February 21, 2023.

SideCopy is a hacker group Pakistani of origin that intersects with another threat actor called Transparent Tribe. It is so named because it simulates SideWinder infection chains to deliver its own. malware SideCopy was first spotted in 2021 during the roll-out of ReverseRAT in attacks on governments and companies in power India and. Afghanistan

The discovered SideCopy campaign uses the Kavach two-factor authentication program, which is used by Indian civil servants. The infection chain begins with a phishing email containing a Word macro-enabled document ("Cyber ​​Advisory 2023.docm").

The file simulates the recommendation of the Ministry of Communications of India on threats to Android devices and their response ("Android Threats and Prevention"). In addition, most of the content was copied from the Ministry's actual warning.

After opening the file and enabling macros, malicious code is executed, which leads to the deployment of ReverseRAT on the compromised system. As soon as ReverseRAT gets consistency, it lists the victim's devices, collects data, encrypts them using RC4 and sends them to a control and control server (C2, C&C). The backdoor waits to execute commands on the target machine, and some of its functions include taking screenshots, downloading and executing files, and exfiltrating files to the C2 server.

The ReverseRAT backdoor was first discovered in 2021 by Black Lotus Labs. Then the experts explained that the Trojan operators are aimed at government and energy organizations in the regions of South and Central Asia.

Since 2020, SideWinder, with which the SideCopy group is associated, has carried out a series of 1,000 attacks, using increasingly sophisticated cyber attack methods. In 2022, Kaspersky Lab spoke about the goals of SideWinder - the military and law enforcement agencies of Pakistan, Bangladesh and other countries of South Asia. It is believed that the group is associated with the government of India, but the LoC claims that the group does not belong to any country[4]

2022

Linux backdoor hacks WordPress sites

Doctor Web has identified a Trojan program for OS Linux hacking CMS-based sites WordPress through 30 in vulnerabilities a number of plugins and themes for this platform. More. here

Spreading the Godfather Trojan around the world

On December 21, 2022, Group-IB announced the spread of a new banking Trojan around the world - Godfather. It attacks users of financial services. Read more here.

Qakbot Trojan spreads inside SVG images

Cybersecurity researchers at Cisco Talos found that Qakbot operators spread malware using SVG images embedded in HTML email attachments. This became known on December 15, 2022.

This distribution method is called HTML Smuggling (HTML Smuggling) - it uses HTML and JavaScript functions to run the encoded malicious code contained in the decoy attachment and deliver the payload to the victim's computer.

Chain of attack

In a chain of attacks, a JavaScript script is inserted inside the SVG image and executed when the recipient of the letter runs an HTML attachment. After launch, the script creates a malicious ZIP archive and provides the user with a dialog box to save the file.

The ZIP archive is also protected by a password that appears in the HTML attachment, after which the ISO image is extracted to launch the Qakbot Trojan.

Qakbot infection process

According to experts from Sophos, Qakbot collects a large range of profile information from infected systems, including information about all configured user accounts, permissions, installed software, running services[5].

Harly is a subscriber Trojan on Google Play

Kaspersky Lab researchers reported the Harly Trojan, active since 2020. According to the report, at least 190 applications are infected with malware, which have a total of 4.8 million downloads. However, there may be many more victims. This became known on September 27, 2022.

To deceive users, Harly operators use the Jocker Trojan strategy - they download legitimate applications from Google Play, embed malicious code into them and upload them back under a different name. At the same time, in order not to arouse suspicion, the developers leave their functionality to applications.

Examples of applications containing malware on Google Play

However, Harly and Jocker have a difference: the first Trojan contains the entire payload inside the application and decrypts it for launch in various ways, and the second - a tiered bootloader that receives the payload from the attackers' servers.

After launching an application infected with Harly, a suspicious library is loaded in which a file is decrypted from the application resources. After decryption, the Trojan collects information about the user's device, especially about the mobile network. The user's phone switches to the mobile network, after which the Trojan asks the command server for the configuration and list of subscriptions that need to be issued.

Then Harly opens the subscription address in an invisible window, enters the user's phone number with the help of injecting JS scripts, presses the necessary buttons and substitutes the verification code extracted from the SMS that came to the phone. As a result, without the user's knowledge, a subscription is issued to him.

Another interesting feature of Harly is that it can issue subscriptions protected not only by an SMS code, but also by a phone call: the Trojan makes a call to a specific number, confirming the subscription.

In order not to become a victim of such applications, experts recommend that users look at reviews of applications before downloading[6].

RAT Trojan developer posted its source code on GitHub

SafeBreach Labs researchers analyzed an updated campaign aimed at Farsi-speaking developers. The attackers used a Microsoft Word document that included a Microsoft Dynamic Data Exchange (DDE) exploit along with a previously unknown RAT remote access Trojan tracked by SafeBreach Labs as CodeRAT. Notably, the experts were able to identify the CodeRAT developer who decided to publish the CodeRAT source code to their public GitHub account . This became known on September 5, 2022

Illustration: www.securitylab.ru

CodeRAT allows the operator to track victim activity on social networks and on local computers, supporting 50 commands, including:

  • Taking screenshots
  • Copy the clipboard
  • Completion of processes
  • analysis of graphic usage; processor
  • Download, upload, and delete files
  • Monitoring of running processes
  • execution of programs.

malware Can also track:

CodeRAT also tracks a large number of browser window headers, 2 of which are special to Iranian victims - a well-known Iranian e-commerce site and a Farsi web messenger.

Experts believe CodeRAT is spyware used by the Iranian government. According to the researchers, tracking porn site visits, using anonymous viewing tools and social media activity makes CodeRAT an intelligence tool used by an attacker associated with the government.

CodeRAT can operate in hidden mode, avoiding sending data. Malware does not use a dedicated C&C server, instead it downloads data to an anonymous public site. CodeRAT limits its use to 30 days to avoid detection. It also uses the HTTP Debugger website as a proxy to communicate with its C&C channel on Telegram.

The researchers also found evidence that the attackers' names may be Mohsen and Siavakhsh, which are common Persian names.

According to the scientists, their goal is to raise awareness of this updated type malware using a relatively updated method of using the site to anonymously send files as a C&C server. Experts also plan to warn the developer community that they are especially are vulnerable for this attacks[7]

BugDrop dropper infects Android devices with dangerous Xenomorph Trojan

Researchers from ThreatFabric have discovered a previously unknown dropper Trojan for Android, which is under development in August 2022. The malware tries to penetrate Android devices using technology that has not previously been encountered by specialists, and then infect the victim with a dangerous Xenomorph Trojan. This became known in August 2022. Read more here.

Russian companies attack "spy" Trojan, source unknown

Antivirus vendor MalwareBytes on August 3, 2022 announced a series of cyber attacks aimed at Russian organizations. In particular, attackers attacked the United Aircraft Corporation (UAC) using the WoodyRat RAT Trojan.

RAT is short for Remote Administration Tool or Remote Access Tool. This is usually the name of Trojans used to ensure stable remote access in the network of target organizations.

MalwareBytes claims that the attacks used WoodyRat, a multifunctional Trojan that is distributed either as archives or as malicious Microsoft Office documents trying to exploit the Follina vulnerability.

WoodyRat Distribution Methods

Follina was identified in the Microsoft Support Diagnostic Tool (MSDT) in the spring of 2022, its operation is carried out using Microsoft Office documents.[8] This vulnerability allows you to remotely execute code on Windows systems, and, as Kaspersky Lab's SecureList writes, in some cases the attack could be successful even if the victim did not open the document, but only used the preview function in Explorer, or opened it in protected mode.[9]

According to MalwareBytes, the Woody Rat malware has been active for at least a year, but attackers began to use the Follina vulnerability only after information about it was published.

Attacks using archives and using documents with the Follina vulnerability differed between themselves.

An active malicious component - an executable file - can be sent using speer phishing emails with attachments in the form of ZIP files and the names anketa_brozhik.doc.zip or zayavka.zip. The archives contain.EXE executable files with the same names as the archive.

A malicious document that looks like a memo to information security

If the Follina vulnerability is exploited, attackers use DOCX files with names like "Memorable.docx" - this may be a completely innocent-looking information security memo with typical recommendations for employees. But at the same time, the document contains a malicious component that allows you to quietly download and run the executable file.

Having penetrated the machine, the malware begins to exchange data with the control server, and everything forwarded is encrypted using a combination of RSA-4096 and AES-CBC algorithms. As the researchers have established, data about the architecture and operating system of the infected machine, the presence of antiviruses, information about .NET, PowerShell and Python, as well as about connected data drives, a list of active processes, a list of accounts and their privileges, and so on are sent to the control server.

The malware is capable of detecting six antiviruses, including developments Kaspersky Lab and, "Dr.Web" as well as,, and Avast. AVG ESET Sophos

Judging by the commands that the malware supports, it is able to download, run, upload and delete arbitrary files on the infected system, take screenshots, create new processes and inject into existing ones.

To exchange data with the control server, the malware forms two different threads, after which it removes its files from the hard drive.[10]

MalwareBytes claims that they cannot associate attack with any of the known hacker groups. Historically the Russian , institutions have been attacked by and, the Chinese the North Korean APT however, who acts in this case remains a mystery.[11]

It is curious that the attackers placed the malware control server in the domain fns77.ru. This is a clear attempt to pass it off as an official resource. In fact, the Federal Tax Service already uses only domains in the zone gov.ru. 77 is the code of Moscow in tax documents and the first two digits in the codes of Moscow tax inspections. The attackers obviously know about it.

In the screenshot "Information Security Memos" given in the MalwareBytes publication, there are no serious language errors that could give out the foreign origin of the text. This, however, does not mean anything: attackers could well use a real document of this kind without changing anything in it.

The antivirus vendor does not give examples of speer phishing emails that victims received.

File:Aquote1.png
"Such RAT Trojans are used for the most targeted, narrowly targeted attacks, when attackers know exactly what they want to achieve," says Alexey Vodyasov, CTO of SEQ. - Malware functionality is clearly spyware. But it does not follow from nowhere that its operators are not ordinary cyber borrowers working for those who pay more. "
File:Aquote2.png

FluBot Trojan destroyed

Europol announced the destruction of one of the fastest spreading malware - the Android Trojan FluBot. This became known on June 1, 2022.

ON 11 took part in the operation to destroy the malicious. countries

According to authorities, FluBot actively spread through text messages, stole passwords, bank details and other confidential information from infected smartphones.

The infrastructure supporting the Trojan was destroyed by Dutch police in May, making the malware inactive, Europol said.

FluBot was first spotted in December 2020, when the malware managed to wave around the world, breaking into millions of devices. The Trojan's calling card was its way of spreading - harmless SMS messages. They asked the victim to follow the link and install an application to track packages or listen to a fake voice message.

After installation, FluBot requested permissions to access device data. Having gained access, hackers stole the credentials of the victims' banking applications and cryptocurrency accounts, and then turned off the built-in security mechanisms.

Because the malware could access the contact list, it spread like wildfire, sending messages with links to FluBot to all the victim's contacts.

According to Europol, experts are still looking for attackers who distributed FluBot around the world.

Not so long ago, a wave of FluBot infections took place in Finland. In 24 hours, the malware managed to infect the devices of tens of thousands[12] victims[13].

Secretive Nerbian RAT spotted in attacks across Europe

On May 12, 2022, it became known that experts from Proofpoint warned users about the appearance of a remote access Trojan (RAT) called Nerbian. RAT is written in language Go and targets organizations in,, and Great Britain. Italy Spain

Illustration: securitylab.ru
File:Aquote1.png
"The Trojan is written in an OS-independent Go programming language, compiled for 64-bit systems, and uses multiple encryption procedures to bypass network analysis," -

researchers write.
File:Aquote2.png

RAT can register keystrokes, run arbitrary commands, take screenshots and transfer data to a remote C&C server. The developer of the Trojan is still unknown.

Nerbian is distributed from April 26, 2022 through phishing a newsletter using fake emails on the subject. COVID-19 The number of such letters does not exceed 100, and they are disguised as letters WHO about measures safety in an epidemic. In letters, victims are invited to open a document Word with a macro, which in the background launches a chain of infection.

Illustration: securitylab.ru

Proofpoint said that the payload dropper is UpdateUAV.exe - a 64-bit executable, 3.5 file MB in size and written in the language. Go (Golang) According to the researchers, malware the dropper and were developed by one author.

Proofpoint researchers have noticed many anti-analytical components in Nerbian, complicating reverse engineering and anti-reversive inspections. Security components are also used to self-isolate the Trojan when detecting debuggers or memory analysis programs.

Recently it became known about another Trojan TeaBot, which, according to experts from Proofpoint, attacked more than 400 applications and infected millions of devices.[14]

A Trojan for remote access has appeared on the darknet - Borat

Another remote access Trojan (RAT) called Borat has appeared on cybercriminal marketplaces, offering easy-to-use features for conducting DDoS attacks, bypassing UAC and installing ransomware.

Borat allows remote attackers to gain full control over mouse keyboard and their victim, gain access to, to files network points and hide any signs of their presence. Malicious ON also allows its operators to select compilation options to create small payloads for highly specialized ones. attacks

It is unclear whether Borat RAT is sold for a certain price or is freely distributed among cybercriminals, but experts from Cycle reported that the malware comes in a package that includes a collector, malware modules and a server certificate .

Borat functions include keylogging, installing programs extortioners and automatically creating a ransom note, conducting DDoS an attack, audio recording, writing from web-, cameras launching hidden remote desktop for file operations, using input devices, executing code, running applications, configuring a reverse proxy server, collecting basic about the information system, injecting malicious code into legitimate processes, stealing credentials data and tokens. Discord

According to experts, these functions make Borat spyware and ransomware, so it is a dangerous threat[15].

Trojans discovered to steal cryptocurrencies from mobile device owners

On March 22, 2022, the company Dr.Web"" announced the distribution of Trojan programs created to steal cryptocurrencies from owners. mobile devices Harmful applications steal secret seed phrases that are needed to access crypto wallets. At the same time, users of both Android devices and are at risk. smartphones Apple

According to the company, the detected Trojan applications are hidden in versions of popular crypto wallets modified by cybercriminals. As of March 2022, Doctor Web specialists record cases of malicious code injection in copies of applications such as imToken, MetaMask, Bitpie and TokenPocket, but this list may be wider. Known modifications of the identified threats are detected Dr.Web as Trojans from Android the.CoinSteal and. IPhoneOS CoinSteal families. Среди них — Android.CoinSteal.7, Android.CoinSteal.8, Android.CoinSteal.10, IPhoneOS.CoinSteal.1, IPhoneOS.CoinSteal.2, IPhoneOS.CoinSteal.3 и другие.

Image:MetaMask.png
MetaMask

Trojan versions of crypto wallets are distributed through malicious sites that copy the appearance and functionality of the original web resources of the corresponding projects. The addresses of such sites are also as close as possible to the present, which, combined with social engineering methods, can increase the chances of successful deception of potential victims.

Depending on the type of device from which fake sites are visited, users are invited to download and install the version of the wallet for the corresponding platform - Android or iOS. Downloading Android versions of Trojans most often occurs directly from the visited malicious resource. At the same time, owners of iOS devices are usually redirected to another site designed in the style of Apple's official application catalog. This is another intruder device designed to deceive potential victims.

Despite the fact that on both operating systems the installation of programs from third-party sources is disabled by default or not provided, it is still possible. So, on Android devices, it is enough to enable the necessary option in the system settings. And in the case of Apple devices, scammers use the installation mechanism through special configuration profiles and provisioning profiles. Some companies use such profiles, for example, to distribute software to their employees, bypassing the App Store. At the same time, installation does not require that iOS devices be unlocked ("hacked") and have a jailbreak. The process of installing one of these malicious programs (IPhoneOS.CoinSteal.2 according to the classification of Doctor Web) using the example of an iOS device is shown in the following image:

Image:Процесс установки одной из таких вредоносных программ.png
Malware Installation Process

Video installation and operation of the Trojan, as well as comparison of it with the version of the application from the App Store.

Since Trojans are copies of real applications with minimal modifications, they work in the same way as the originals, and it is almost impossible to distinguish them from each other by external features.

Image:Работа обеих версий.jpg
For comparison, the work of both versions is demonstrated

After installing the Trojans, all malicious activity passes unnoticed by the victims. It consists in stealing a secret mnemonic seed phrase, which is unique to each crypto wallet and protects it from the access of outsiders. In fact, a seed phrase is an analogue of a master password. Having received it, cybercriminals will be able to get to the cryptocurrency stored in the wallet and steal it. At the same time, owners of both existing wallets and newly created ones are at risk.

Doctor Web specialists recommend that users install crypto wallet programs only from official application directories and not download them from third-party sources. At the same time, it is important to pay attention to the existing reviews, as well as signs of possible forgery - the absence of older versions, the presence of typos in the description, the inconsistency of screenshots of actual functionality.

Due to the increased risks of restricting the work of Google Play, App Store and other software catalogs in Russia, it is recommended to install the necessary applications in advance. Scammers can take advantage of a potential blocking situation and start spreading malware more intensively under the guise of originals both through fake sites and through other channels - for example, cloud services and file-sharing networks.

Android Trojan TeaBot now attacks more than 400 apps

The TeaBot Remote Access Trojan (RAT) has received updates that have led to an increase in the number of its victims around the world. This became known on March 3, 2022.

Earlier, the research team of Cleafy reported that TeaBot now attacks more than 400 applications and abandoned mixing (a type of phishing via SMS) in favor of more advanced techniques.

When TeaBot first appeared in early 2021, it was distributed via phishing SMS and impersonated only 60 applications. In July 2021 malware , it was configured for attacks dozens of applications. the European banks

Then TeaBot went beyond Europe and began to attack users in Russia, the United States and Hong Kong. The list of applications under which it disguised itself has also expanded, in particular, cryptocurrency exchanges and insurance companies were added to it.

According to Cleafy experts, the malware has also learned to penetrate the official Android repositories through dropper applications. In February 2022, experts discovered on Google Play the QR Code & Barcode Scanner application, which delivered TeaBot to users' devices through fake updates.

Malicious developers ON often publish a legitimate application to the official repository, pass all security checks, and after it dials a solid user application, base deploy an update that turns a harmless application into a malicious one.

After installation on the device, TeaBot first uses the Android Accessibility service, requesting permissions for actions that allow it to record keystrokes and remotely hack the device. Moreover, TeaBot is able to take screenshots and monitor the screen in order to steal the credentials data and codes two-factor authentication[16]

2021

Dozens of games with built-in Trojan found in AppGallery app catalog

On November 23, 2021, Doctor Web announced the discovery of dozens of games in the AppGallery catalog with a Trojan Android.Cynos.7 built into them, which collects information about users' mobile numbers. Dangerous games were installed by at least 9,300,000 owners of Android devices. Read more here.

Avast: Evolved banking trojan Ursnif attacks users around the world

Researchers at Avast Threat Labs, a division of Avast, a digital security and security solutions representative, found that the evolved banking Trojan Ursnif continues to attack users around the world. For several years it has been distributed through phishing emails written in different languages. The company announced this on March 9, 2021.

Unlike other Trojans, Ursnif is installed on the victim's device after downloading her backdoor, allowing unauthorized users to bypass the usual security mechanisms and gain a high level of access to a computer system, network or programs. Ursnif is a so-called "file-free malware" - an advanced program that leaves almost no traces in the system. Since Ursnif is installed after the backdoor and must receive information through the C&C server for activation, it can remain unnoticed for hours until it eventually starts malicious activity.

Ursnif can not only steal bank data, but also gain access to some emails and browsers, as well as get to the cryptocurrency wallet.

File:Aquote1.png
The mechanisms for stealthily bypassing security tools were made quite ingeniously. This can be a particularly effective tactic against devices that do not have enhanced security levels, such as detecting suspicious behavior, "said Michal Salat, director of Avast's threat research department. - These attacks once again prove that a person is the weakest link in the system. It is necessary to remember that it is dangerous to open letters with an attachment from unknown senders and click on links. If the user has already made a mistake and opened the letter, only disabling the macro in the document will help.
File:Aquote2.png

During the analysis, Avast researchers discovered bank details, payment details, information logins, passwords and, data credit cards which, as it turned out, were stolen by Ursnif operators. Ursnif's main target was: the Italian banks attackers attacked more than 100 banks; and more than 1,700 bank data stole one payment service. The information obtained helped Avast researchers protect Ursnif victims and users who may encounter it in the future.

The team of researchers reported the attacks to banks and payment services that they were able to identify, as well as government services that process financial information. Companies affected by the attacks took all necessary actions to protect customers and eliminate damage caused by Ursnif's activities.

Avast believes that such information will help make the Internet safer.

2020

Publishing the source code of the Cerberus Trojan on the dark web

In mid-September 2020 Darknet , the source code of the banking Trojan appeared on hacker forums. Cerberus Its creators planned to help out $100 thousand, but the buyer was not found. More. here

Trojans used during ATP attacks on state institutions of Kazakhstan and Kyrgyzstan studied

In March 2019, a client from a state institution of the Republic of Kazakhstan contacted Doctor Web on the issue of malware on one of the computers on the corporate network. This was reported to "Dr.Web" by TAdviser on July 22, 2020. This appeal led to the start of an investigation, as a result of which the company's specialists discovered and for the first time described a group of Trojan programs used for a full-scale targeted attack on the institution. In addition, in February 2020, representatives of the state institution of the Kyrgyz Republic turned to Dr.Web with signs of infection of the corporate network.

Considering that the unauthorized presence in both infrastructures continued for at least three years, as well as the fact that when studying reports from servers, completely different families of Trojan programs were identified, Doctor Web admits that several hacker groups may be behind these attacks at once. At the same time, some of the Trojans used are well known: some of them are exclusive tools of well-known APT groups, the other part is used by various APT groups in China. Read more here.

Avast: HiddenAds Trojan found on Google Play Store in 47 apps that mimic games

On June 26, 2020, it became known that Avast, a company in the field of digital security and security solutions, discovered 47 game applications in the Google Play Store that are part of the HiddenAds family of Trojans. Avast has already informed Google Play Store representatives about the found applications, but as of June 26, 2020, some applications are still available in the Google Play store. Read more here.

2019

Casbaneiro Trojan hunted for cryptocurrency of Brazilian and Mexican users

An international company ESET has studied the bank Casbaneiro family of Trojans. This became known on October 10, 2019. Harmful the program also hunted users cryptocurrency the Brazilian the Mexican.

During the study, ESET experts found that Casbaneiro has similar functionality to another family of banking Trojans, Amavaldo. Malware uses the same thing cryptographic algorithm and distributes a similar malicious utility for. mails

Like Amavaldo, the Casbaneiro Trojan uses pop-ups and forms to deceive victims. Such methods of social engineering are aimed at primary emotions - a person is urgently, without hesitation, forced to make a decision. The reason may be an update, ON verification credit maps or request from. bank

After infection, Casbaneiro restricts access to various bank sites, as well as monitors key presses and takes screenshots. In addition, the Trojan tracks the clipboard - if the malware sees the personal data of the cryptocurrency wallet, it replaces the recipient's address with the fraudster's wallet.

The Casbaneiro family uses many complex algorithms to mask code, decrypt downloaded components and configuration data. The main way to distribute Casbaniero is malicious phishing, like Amavaldo.

A feature of the Trojan was that Casbaneiro operators carefully tried to hide the domain and port of the C&C server. It was hidden in a variety of places - in fake DNS records, in online Google Docs documents and even on fake sites of different institutions. Interestingly, sometimes attackers managed to hide traces of the control server on official sites, as well as in the descriptions of the[17] video: [18].

Detection of a malicious copy of the site of the FSSP of Russia

On October 8, 2019, it became known that specialists from the Dr.Web virus laboratory discovered a malicious copy of the website of the Federal Bailiff Service (FSSP) of Russia. Hackers use a fake site to infect users with the Trojan.DownLoader28.58809 Trojan.

Detection of a malicious copy of the site of the FSSP of Russia

As reported, a copy of the website of the FSSP of Russia was discovered by specialists at 199.247. * * *. * * *. Outwardly, the fake is almost no different from the original, but, unlike the official website, some elements are incorrectly displayed on it.

If you try to click on some links on the site, the user will be redirected to the page with a warning to update Adobe Flash Player. At the same time, the.exe file will be downloaded to the user's device, when launched, the Trojan.DownLoader28.58809 will be installed.

This Trojan is installed in startup on the user's system, connects to the control server and downloads another malicious module - Trojan.Siggen8.50183. In addition, a file with a valid Microsoft digital signature and designed to run the main malicious library is downloaded to the user's device. After that, the Trojan.Siggen8.50183 collects information about the user's system and sends it to the control server. After installation, the Trojan will always run on the user's device and will be able to perform various command actions from the control server.

Running on the victim's device, the Trojan can:

  • Get disk information
  • Get information about the file.
  • get information about the folder (find out the number of files, subfolders and their size);
  • Get a list of files in the folder.
  • Delete files
  • Create a folder
  • Move the file
  • Start the process
  • stop the process;
  • Get a list of processes.

According to data as of October 2019, hackers have not yet launched large-scale viral campaigns using a fake site, but it could be used in attacks on individual users or organizations.

All versions of this Trojan are detected and removed by Dr.Web antivirus.

Android Trojan Fanta stole 35 million rubles in Russia. At gunpoint - Avito users

On September 17, 2019, the company Group-IB announced that its specialists had recorded a campaign Android of Troyan FANTA, attacking 70 clients, banks payment systems web wallets Russia in the CIS countries. The Trojan targets users who post buy-sell ads on. Internet service Avito Since the beginning of 2019 alone, the potential damage from FANTA in Russia amounted to at least 35 million rubles.

Despite the fact that various variations of the Flexnet family of Android Trojans have been known since 2015, and have been studied in detail, the Trojan itself and its associated infrastructure are constantly developing: attackers are developing new effective distribution schemes, adding functionality that allows them to more effectively steal money from infected devices and bypass security tools.

Fanta Android Trojan Action Diagram

The recorded campaign uses high-quality phishing pages for the popular Internet service Avito and targets users who post ads for purchase and sale. The scheme works as follows: some time after publication, the seller receives a personalized SMS about the "transfer" to his account of the required amount - the full cost of the goods. He is invited to see the details of the payment at the link.

A satisfied seller clicks on the link: a phishing page opens, forged under the real Avito page, notifying the seller of the purchase and containing a description of his product and the amount received from the "sale" of the product. After clicking on the "Continue" button, the malicious APK FANTA disguised as the Avito application is downloaded to the user's phone. This disguise puts the user to sleep and installs a malicious application. Obtaining data from bank cards is carried out in a standard way for Android Trojans: the user is shown phishing windows masquerading as legitimate mobile applications of banks, where the victim herself enters the data of his bank card.

The current campaign is aimed at Russian-speaking users, most of the infected devices are in Russia, a small number are recorded in Ukraine, as well as in Kazakhstan and Belarus.

FANTA analyzes which applications run on the infected device. When you open the target application, the Trojan displays a phishing window on top of all others, which is a form for entering bank card information. The user needs to enter the following information: card number, card validity period, CVV, cardholder name (not for all banks).

Investigating the Trojan, it was discovered that in addition to demonstrating pre-prepared phishing pages, Fanta also reads the text of notifications of about 70 bank applications, fast payment systems and electronic wallets.

Phishing pages analyzed by Group-IB Threat Hunting Intelligence specialists for the Internet service for posting Avito ads indicate that they were prepared purposefully for a specific victim.

When researching the Trojan, it was found that in addition to Avito, FANTA developers target users of about 30 different Internet services, including AliExpress, Yula, Pandao, Aviasales, Booking, Trivago, as well as taxis and car-sharing services, etc.

FANTA runs on all versions of Android at least 4.4. Like other android Trojans, FANTA is capable of reading and sending SMS, making USSD requests, showing its own windows on top of applications. However, in the recorded campaign, the mobile Trojan began to use AccessibilityService (a service for people with disabilities), which allows it to read the contents of notifications of other applications, prevent detection and stopping the execution of the Trojan on the infected device.

The Trojan "checks" the type of device, after which it displays a message about a system failure on the user's smartphone screen. After that, the user is shown the "System Security" window - a request for granting rights to use the AccessibilityService. After obtaining rights, the application already gains rights to other actions in the system without assistance, emulating the user's keystrokes.

An important function of FANTA, which the creators paid special attention to, is bypassing antivirus tools on an Android smartphone. This is how the Trojan prevents the user from launching applications: Clean, Meizu Applicatiom Permission Management, MIUI Security, Kaspersky Antivirus AppLock & Web Security Beta, Mobile AntiVirus Security PRO, AVG Protection for Xperia, Samsung Smart Manager, Dr. Internet Security Antivirus Mobile Control Center, Dr.Web Anti-Virus, Kaspersky Space

File:Aquote1.png
"The reason for this study was a real case: the specialist information security who published the ad on Avito received a suspicious SMS. He immediately sent it to the Group-IB Threat Hunting Intelligence team, which during the study revealed a large-scale campaign of the Android Trojan FANTA. However, not all stories end so well, so we recommend that users regularly install OS Android updates, do not follow suspicious links received in SMS messages, do not visit suspicious resources and do not download from there, and files also do not install applications from unofficial sources. As for the banks and vendors of mobile applications targeted by this family of Android Trojans, we can recommend the use of systems for proactive prevention bank fraud all devices (smartphone,,,) tablet laptop through PERSONAL COMPUTER any channels of interaction with the bank (mobile application, online banking, etc.). "
File:Aquote2.png

Amavaldo banking Trojan uses screenshots to steal information

On August 8, 2019, the international antivirus company ESET announced that it had studied a number of banking Trojans that attack Latin American users.

These malware have a number of similar features: they are written in Delphi, contain backdoor functionality, consist of several components, disguise themselves as legitimate documents and software, and are also aimed at Spanish and Portuguese-speaking countries in Latin America.

Attackers use social engineering to attack: malware detects open windows on the victim's device. Having discovered an open bank site, they show the user a request to urgently enter information credit card about or bank account. Information entered into fake windows is sent to server attackers.

In the course of the study, ESET experts studied in detail the typical Amavaldo banking Trojan for this group. It can take screenshots, provide attackers with access to the victim's webcam, record keystrokes, download and run programs, restrict access to bank sites, etc.

Amavaldo collects data about the computer, as well as methods of protecting online payments and banking applications (for example, checks for antivirus with such functions).

The attack vector of this Trojan is especially noteworthy. Having discovered the bank's open site, Amavaldo takes a screenshot of the desktop, which is then used to simulate the background. Next, the user is shown a pop-up window, where they are required to enter bank data.

Thus, the victim cannot interact with any elements of a static background, only this window remains active. Criminals even disable some keyboard shortcuts so that the user cannot switch to another process.

Almost 102 million Android users have installed a clicker Trojan from the Google Play catalog

On August 8, 2019, Dr.Web reported that almost 102 000 000 Android users have installed a clicker Trojan from the Google Play catalog.

Clicker Trojans are common malware to cheat on website visits and monetize online traffic. They simulate the actions of users on web pages by clicking on links and other interactive elements located on them.

The Trojan is a malicious module that Dr.Web is classified as Android.Click.312.origin. It is built into ordinary applications ones - dictionaries, online maps, audio players, scanners barcodes and more. ON All these programs are functional, and for owners of Android devices they look harmless. In addition, when they are launched, the Android.Click.312.origin begins malicious activity only after 8 hours, so as not to arouse suspicion among users.

Starting work, the Trojan sends the following information about the infected device to the control server:

  • manufacturer and model;
  • OS version;
  • User's country of residence and default system language
  • User-Agent ID;
  • name of the mobile operator;
  • Type of Internet connection
  • Screen settings
  • time zone;
  • information about the application in which the Trojan is embedded.

In response, the server sends it the necessary settings. Some of the functions of the malicious application are implemented using reflection, and these settings contain the names of methods and classes along with parameters for them. These parameters are used, for example, to register the broadcast message receiver and content watcher with which the Android.Click.312.origin monitors the installation and update of programs.

When installing an application or downloading an apk file by the Play Market client, the Trojan transmits information about this program to the control server along with some technical data about the device. In response, the Android.Click.312.origin receives the addresses of sites, which it then opens in invisible WebViews, as well as links that it downloads in a browser or Google Play directory.

Thus, depending on the settings of the control server and the instructions received from it, the Trojan can not only advertise applications on Google Play, but also quietly download any sites, including those with ads (including videos) or other dubious content. For example, after installing applications in which this Trojan was built, users complained about automatic subscriptions to expensive content provider services.

Almost 102 million Android users have installed a clicker Trojan from the Google Play catalog

Dr.Web specialists failed to recreate the conditions for the Trojan to download such sites, but the potential implementation of this fraudulent scheme in the case of Android.Click.312.origin is quite simple. Since the Trojan informs the management server about the type of current Internet connection, if there is a connection through the mobile operator's network, the server can send a command to open the website of one of the partner services that support WAP-Click technology. This technology simplifies the connection of various premium services, but is often used to illegally subscribe users to premium services. The company covered this problem in 2017 and 2018. In some cases, connecting an unnecessary service does not require user confirmation - a script posted on the same page or the Trojan itself can do this for him. He will "press" the confirmation button. And since Android.Click.312.origin will open the page of such a site in an invisible WebView, the entire procedure will take place without the knowledge and participation of the victim.

Viral analysts of "Dr.Web" have identified 34 applications in which the Android.Click.312.origin was built. They were installed by over 51,700,000 users. In addition, the Trojan modification, named Android.Click.313.origin, was downloaded by at least 50,000,000 people. Thus, the total number of mobile device owners threatened by this Trojan has exceeded 101 700 000. Below is a list of programs in which this clicker was found:

  • GPS Fix
  • QR Code Reader
  • ai.type Free Emoji Keyboard
  • Cricket Mazza Live Line
  • English Urdu Dictionary Offline - Learn English
  • EMI Calculator - Loan & Finance Planner
  • Pedometer Step Counter - Fitness Tracker
  • Route Finder
  • PDF Viewer - EBook Reader
  • GPS Speedometer
  • GPS Speedometer PRO
  • Notepad - Text Editor
  • Notepad - Text Editor PRO
  • Who unfriended me?
  • Who deleted me?
  • GPS Route Finder & Transit: Maps Navigation Live
  • Muslim Prayer Times & Qibla Compass
  • Qibla Compass - Prayer Times, Quran, Kalma, Azan
  • Full Quran MP3 - 50+ Audio Translation & Languages
  • Al Quran Mp3 - 50 Reciters & Translation Audio
  • Prayer Times: Azan, Quran, Qibla Compass
  • Ramadan Times: Muslim Prayers, Duas, Azan & Qibla
  • OK Google Voice Commands (Guide)
  • Sikh World - Nitnem & Live Gurbani Radio
  • 1300 Math Formulas Mega Pack
  • Social studies is a school course. USE and OGE.
  • Bombuj - Filmy a seriály zadarmo
  • Video to MP3 Converter, RINGTONE Maker, MP3 Cutter
  • Power VPN Free VPN
  • Earth Live Cam - Public Webcams Online
  • QR & Barcode Scanner
  • Remove Object from Photo - Unwanted Object Remover
  • Cover art IRCTC Train PNR Status, NTES Rail Running Status

Doctor Web transferred information about this Trojan to Google, after which some of the programs found were promptly removed from Google Play. In addition, updates have been released for several applications that no longer have a Trojan component. However, at the time this news was published, most apps still contained the malicious module and remained available for download.

Viral analysts recommend that developers responsibly select modules for monetizing applications and not integrate dubious SDKs into their software.

Backdoor Trojan disguises itself as OpenGL ES GUI update software

On July 12, 2019, Doctor Web announced that it had identified a backdoor Trojan on Google Play that executes attackers' commands, allows them to remotely control infected Android devices and spy on users. Read more here.

Node.js-Trojan mines TurtleCoin cryptocurrency

On June 19, 2019, Dr.Web"" reported that its virus lab was investigating a bootloader Trojan written in JavaScript and using to launch Node.js. A Trojan sample for research in "Dr.Web" was transferred by the company Yandex"." Harmful ON distributed through cheat sites for popular video games and called Trojan.MonsterInstall.

The Trojan has several versions and components. When trying to download a cheat, the user downloads to his protected one computerized. password Inside is an executable file that downloads the desired cheats along with other Trojan components at startup.

Running on the victim's device, Trojan.MonsterInstall downloads and installs the modules necessary for its work, collects information about the system and sends it to the developer server. After receiving an answer, it is set to startup and begins mining (mining) of the TurtleCoin cryptocurrency.

Malware developers use their own resources with cheats for popular games for distribution, and also infect files on other similar sites. According to SimilarWeb statistics, users browse these sites about 127,400 times a month.

Trojan.MonsterInstall

Resources owned by the Trojan developer:

  • rumaincraft [.] rf;
  • clearcheats[.]ru;
  • mmotalks[.]com;
  • minecraft-chiter[.]ru;
  • torrent-igri[.]com;
  • worldcodes[.]ru;
  • cheatfiles[.]ru.

In addition, some files on the proplaying website [.] ru are infected with the Trojan.

Dr.Web experts recommend that users update the antivirus on time and not download dubious software.

Android Trojan helps attackers sign up users for ad notifications

On June 14, 2019, Doctor Web announced that its specialists had discovered a Android.FakeApp.174 Trojan that uploads dubious websites to Google Chrome where users subscribe to advertising notifications. They come even if the browser is closed and can be mistaken for system ones. Such notifications not only interfere with work with Android devices, but also can lead to theft of money and confidential information.

Web Push technology allows sites, with the consent of the user, to send notifications to them even when the corresponding web pages are not open in the browser. When working with harmless resources, this function is useful and convenient. For example, social networks can inform reports in this way, and news outlets ― about fresh publications. However, attackers and unscrupulous advertisers abuse it by distributing ads and fraudulent notifications that come from hacked or malicious sites.

These notifications are supported in browsers on both PCs, laptops, and mobile devices. Usually, the victim falls on a dubious spammer resource by clicking on a specially formed link or advertising banner. Android.FakeApp.174 is one of the first Trojans to "help" attackers increase the number of visitors to these sites and sign up for such notifications for smartphone and tablet users.

Android.FakeApp.174 is distributed under the guise of useful programs - for example, official ON well-known brands. virus Doctor Web analysts discovered two such modifications of the Trojan in early June in the catalog. Google Play After contacting the corporation Google , the malware was removed, but more than 1100 users managed to download it.

Android trojan

When launched, the Trojan downloads a website in the Google Chrome browser, the address of which is specified in the settings of the malicious application. From this site, in accordance with its parameters, several redirects to the pages of various partner programs are carried out one by one. On each of them, the user is invited to allow notifications. To be convincing, the victim is informed that a certain check is being carried out (for example, that the user is not a robot), or simply given a hint which button of the dialog box needs to be pressed. This is done to increase the number of successful subscriptions.

Android trojan

After activating the subscription, sites begin to send the user numerous notifications of dubious content. They come even if the browser is closed, and the Trojan itself has already been deleted, and are displayed in the operating system status panel. Their contents can be anything. For example, false notifications about the receipt of certain cash bonuses or transfers, about messages received on social networks, advertisements for horoscopes, casinos, goods and services, and even various "news."

Many of them look like real notifications of real online services and applications that can be installed on the device. For example, they show the logo of a particular bank, dating site, news agency or social network, as well as an attractive banner. Owners of Android devices can receive dozens of such spam messages per day.

Despite the fact that these notifications also indicate the address of the site from which it came, an unprepared user may simply not notice it, or not give it much meaning.

Android trojan

When you click on such a notification, the user is redirected to a site with dubious content. It can be advertising casinos, bookmakers and various applications on Google Play, offering discounts and coupons, fake online polls and fictitious prize draws, a partner link aggregator website and other online resources that vary depending on the user's country of residence.

Android trojan

Many of these resources are involved in known fraudulent schemes of money theft, but attackers are able to organize an attack at any time to steal confidential data. For example, by sending an "important" notification through the browser on behalf of a bank or social network. A potential victim can accept a fake notification for this, click on it and go to a phishing site, where they will be asked to provide a name, login, password, email address, bank card number and other confidential information.

Dr.Web experts believe that attackers will use this method of promoting dubious services more actively, so users of mobile devices should carefully familiarize themselves with their content when visiting websites and not subscribe to notifications if the resource is unknown or looks suspicious. If you have already subscribed to spam notifications, do the following:

  • go to Google Chrome settings, select the "Site settings" option and then "Notifications";
  • in the list of websites and notifications that appears, find the address of the resource of interest, click on it and select the "Clear and reset" option.

Dr.Web antivirus products for Android detect and remove all known Android.FakeApp.174 modifications, so this Trojan is not a danger for Dr.Web users.

Cybercriminals return to dangerous Trickbot banking Trojan

On May 15, 2019, it became known that Check Point Software Technologies, a provider of cybersecurity solutions worldwide, published a report with the most active threats in April 2019 Global Threat Index. The Trickbot banking Trojan returned to the top ten for the first time in almost two years.

Versatile ones, banking Trojans such as Trickbot, are popular among, cybercriminals as they allow you to get the maximum profit. Trickbot is primarily aimed at, banks but individual users may also encounter it. It has a wide distribution geography and a large linguistic diversity, making it one of the most dangerous and difficult to remove. viruses Attacks Trickbot increased sharply in April 2019, when the newsletter harmful spam with the theme of the American "Tax Day" coincided with the deadline for filing tax returns in. As USA part of a spam campaign, attackers distributed files Excel that downloaded Trickbot to computers victims for distribution over networks, collecting bank data and possible theft of tax documents for fraudulent use.

Three of the ten most common malicious variants ON in April 2019 are. cryptominers The other seven of the top ten are multipurpose Trojans. This shows that cybercriminals' tactics are changing after the closure of several popular cryptomining services and a decrease in value cryptocurrencies in 2018, fraudsters are looking for other channels with maximum financial benefit. It is important to note that mobile devices are a weak, unprotected link - only 9% of IT professionals consider mobile threats a serious security risk. At the same time malware , it can easily penetrate cloudy into or local networks of organizations through them.

In April 2019, Badrabbit became the most active malware in Russia, which affected 25% of organizations. A worm program targeting the Windows platform uses a list of usernames and passwords to access and distribute to SMB resources of other systems on the network. Badrabbit is followed by cryptomainer Cryptoloot (22.5%), which uses CPU or GPU power and existing resources for crypto mining - adding transactions to the blockchain and issuing a new currency. Third on the list is XMRig (10.5%) - open source software first discovered in May 2017. Used to mine Monero cryptocurrency.

File:Aquote1.png
author '= Vasily Diaghilev, Head of Check Point Software Technologies Russia and CIS
As soon as cryptominers stopped bringing serious profits, the attackers immediately switched to other, more profitable methods. In April 2019, Badrabbit became the most active malware in Russia. And if you look at data around the world, both Trickbot and Emotet were in the top 10 malware. This is especially alarming, as both botnets are used not only to steal personal and credentials, but also by the Ryuk ransomware. Ryuk is famed for its assets such as databases and server backups, seeking buyouts of up to a million dollars. Since these malicious programs are constantly transforming, it is imperative to have a reliable line of defense against them with an advanced threat prevention system.
File:Aquote2.png

Top 3 most active malware in April 2019:

Arrows show the change in position from the previous month


↑ Cryptoloot is a cryptominer that uses CPU or GPU power and existing resources for crypto mining-adding transactions to the blockchain and issuing a new currency. Competitor Coinhive.
↑ XMRig - Open source software first discovered in May 2017. Used to mine Monero cryptocurrency.
↑Jsecoin is a JavaScript miner that can run the miner directly in the browser in exchange for advertising, in-game currency and other incentives.


Triada has become the most common malware for mobile devices, replacing Hiddad. Lootor remained in second place with Hiddad dropping to third.

The most active mobile threats of April 2019:

Triada - Modular backdoor for Android, which provides superuser privileges for downloaded malware, and also helps to inject it into system processes. Triada has also been spotted spoofing URLs downloaded in browsers. Lotoor is a program that exploits vulnerabilities in the Android operating system to gain privileged root access on compromised mobile devices. Hiddad - A modular Android backdoor that grants superuser rights to downloaded malware, and also helps inject it into system processes. It can access key security details built into the OS, allowing it to obtain sensitive user data.

Check Point researchers also analyzed the most exploited vulnerabilities. OpenSSL TLS DTLS Heartbeat Information Disclosure is the most popular vulnerability exploited with global influence on 44% of organizations worldwide. For the first time in 12 months, the CVE-2017-7269 dropped from first place to second, affecting 40% of organizations. In third place is the CVE-2017-5638 with global influence on 38% of organizations around the world.

The Global Threat Impact Index and ThreatCloud Map are developed by ThreatCloud intelligence, the largest collaborative cybercrime network that provides threat and attack trend data from a global network of threat sensors. Containing more than 250 million addresses analyzed to detect bots, more than 11 million malware signatures and more than 5.5 million infected sites, the ThreatCloud database continues to identify millions of malware every day.

About 90% of attempts to infect banking Trojans Buhtrap and RTM fell on Russia

February 19, "Kaspersky Kaspersky)" reported that in less than two months of 2019, the company's security solutions recorded attempts to infect Buhtrap on about 200 devices, in 2018 this figure was more than three thousand. RTM attacks were blocked in more than 30 thousand users (in 2018 - almost 140 thousand users). A significant increase in the number of attacks by these two types of corporate Trojans began in the third quarter of 2018, and since then their intensity has remained at a high level.

Dynamics of RTM and Buhtrap attacks

Banking Trojans Buhtrap and RTM are targeting small and medium-sized businesses. Attackers are primarily interested in accountants, and among professional areas - information technologies, mainly regional companies, jurisprudence and small production.

Buhtrap is distributed through exploits embedded in news sites, provided that it is used. browser Internet Explorer (browser) When loading a malicious script from an infected resource encrypted , the WebSocket protocol is used, which makes analysis difficult and allows you to bypass object detection using some security solutions. Harmful ON spreads using a vulnerability known since 2018.

The RTM malware attacks users through phishing emails. Topics and message texts contain information specific to correspondence with financial institutions: for example, "Return request," "Copies of documents for the last month" or "Request to pay receivables." Infection occurs after clicking on a link or opening an attachment.

Buhtrap and RTM in conjunction with loaded modules give complete control over the infected system. The ultimate goal of the attackers is to steal funds from the accounts of legal entities. It is extremely difficult to assess the cumulative damage, while, according to Kaspersky Lab estimates, attackers conduct illegal transactions, each of which does not exceed one million rubles. Theft occurs through the substitution of details in payment orders, as was done as part of the TwoBee malicious campaign, or manually using remote access tools.

File:Aquote1.png
author '= Sergey Golovanov, leading antivirus expert at Kaspersky Lab '
We've seen a surge in Buhtrap attacks in the last year. In 2018, the number of detections of this malware increased by 74% compared to 2017. Moreover, another RTM banking Trojan is also downloaded to some users' devices after installing Buhtrap, which allows even more fraudulent transactions. In 2018, we saw a 5,000% increase in RTM attacks. To protect against this threat, special attention should be paid to security specialists to protect workstations of employees of financial departments: install the latest updates and security solutions with a behavioral detection module, prohibit the launch of remote administration utilities on such computers, if possible.
File:Aquote2.png

The SpeakUp Trojan for Linux servers has become active on the Web

On February 14, 2019, it became known that Check Point Software Technologies Ltd., revealed another one trojan aimed at - servers Linux a backdoor that distributes the XMRig cryptomainer., Harmful ON called SpeakUp, is capable of delivering any payload and running it on compromised. computers

This Trojan has not yet been detected by antivirus software of any security program provider. It was distributed through a series of exploits based on command sequences of the control center, including the 8th, most exploited vulnerability - injection of commands into HTTP headers. Check Point researchers see Speakup as a serious threat because it can be used to download and distribute any malware.

In January, cryptominers took the first four lines of the rating of the most active malware. Coinhive remains the main malware that attacked 12% of organizations around the world. XMRig again became the second most common malware (8%), followed by cryptomainer Cryptoloot (6%). Despite the fact that the January report features four cryptomainers, half of all malicious forms from the top ten can be used to download additional malware to infected machines.

File:Aquote1.png
author '= Vasily Diaghilev, Head of Check Point Software Software Technologies Russia and CIS
In January, there were small changes in forms of malware aimed at organizations around the world, but we find other ways to spread malware. Threats like this are a stark warning of threats to come. Backdoors like Speakup can avoid detection and then spread potentially dangerous malware to infected machines. Since Linux is widely used on corporate servers, we expect Speakup to be a threat to many companies, the scale and severity of which will grow throughout the year. In addition, for the second month in a row, BadRabbit has been in the top three most active malware in Russia. So attackers use all possible vulnerabilities to make a profit.
File:Aquote2.png

The most active malware in January 2019:

(Arrows show the change in position from the previous month.)

  • ↔ Coinhive (12%) is a cryptominer designed for online mining cryptocurrencies Monero without the user's knowledge when he visits a web page. The built-in JavaScript uses a large amount of computing resources of end-user computers for mining and can lead to a system failure.
  • ↔ XMRig (8%) - Open source software first discovered in May 2017. Used to mine Monero cryptocurrency.
  • ↑ Cryptoloot (6%) is a cryptominer that uses the victim's CPU or video card power and other resources to mine cryptocurrency, the malware adds transactions to the blockchain and issues a new currency.

Hiddad, a modular backdoor for Android that grants privileges to downloadable malware, replaced Triada at the top of the mobile malware list. In second place is Lotoor, while the Triada Trojan went down to third place.

The most active mobile threats of January 2019:

  • Hiddad - A modular Android backdoor that grants superuser rights to downloaded malware, and also helps inject it into system processes.
  • Lotoor - The program exploits vulnerabilities in the Android operating system to gain privileged root access on compromised mobile devices.
  • Triada is a modular Trojan for Android that provides superuser privileges for downloadable malware and also helps inject it into system processes.

Check Point researchers also analyzed the most exploited vulnerabilities. CVE-2017-7269 remained in first place (47%). Also in the top three are information leakage through the repositories of the Git web server (46%) and critical vulnerabilities in the OpenSSL TLS DTLS Heartbeat library (45%).

The Global Threat Impact Index and ThreatCloud Map are developed by ThreatCloud intelligence, the largest collaborative cybercrime network that provides threat and attack trend data from a global network of threat sensors. ThreatCloud Data Base, which contains more than 250 million addresses analyzed to detect bots, more than 11 million malware signatures and more than 5.5 million infected sites as of February 2019, continues to identify millions of malware every day.

2018

Android Trojan HeroRat steals data using Telegram bot

Eset on June 21, 2018 announced the discovery of the HeroRat Android Trojan, which controls infected devices and steals data using a bot on Telegram.

HeroRat is a RAT Trojan (Remote Administration Tool) for remote management of compromised devices. The authors offer it for rent using the Malware-as-a-Service model (malware as a service). Three trim levels are available (bronze, silver and gold), which differ in the set of functions and price - $25, $50 and $100, respectively. The source code of the malware is sold for $650. A technical support video channel is provided.

HeroRat is looking for victims through unofficial Android app stores, social networks and instant messengers. Attackers disguise the Trojan as applications promising bitcoins as a gift, free mobile Internet or cheating subscribers on social networks. At the same time, this threat was not found on Google Play. Most infections were recorded in Iran.

When the user installs and launches the malicious application, a pop-up window will appear on the screen. It reports that the program cannot work on the device and will be removed. Samples with messages in English and Persian (depending on language settings) were observed at Eset. After the "removal" of the application icon will disappear, and the Trojan will continue to work secretly from the user.

HeroRat operators manage infected devices via Telegram using a bot. The Trojan allows you to intercept and send messages, steal contacts, make calls, record audio, take screenshots, determine the location of the device and change settings. To control the functions, interactive buttons are provided in the Telegram bot interface - the user receives a set of tools in accordance with the selected configuration.

The transfer of commands and theft of data from infected devices is implemented within the Telegram protocol - this measure allows you to counteract the detection of the Trojan.

Eset antivirus products detect the threat as Android/Spy.Agent.AMS and Android/Agent.AQO.

Microsoft Security Intelligence Report

The corporation Microsoft published information security the Security Intelligence Report in April 2018 for the period from February 2017. It is based on data obtained by the company's security programs and services (Data on the number of detected threats, and not on cases of infection). The information was provided by corporate and private users who agreed to share it with geolocation binding.

The widespread use of botnets and ransomware viruses has led to the fact that the number of devices in Russia that faced cyber threats between February 2017 and January 2018 reached 25-30% on average per month, while the same figure in the first quarter of 2017 was almost half that - 15%. The highest rates were recorded in Pakistan, Nepal, Bangladesh and Ukraine (33.2% or higher), the lowest - in Finland, Denmark, Ireland and the United States (11.4% or lower).

According to Windows Defender Security Intelligence, Trojans have become the most common category of unwanted software. The percentage of their distribution from February 2017 to January 2018 increased from 6% to 10%. Indicators of other types of malware (droppers, obfuscators, ransomware viruses, etc.) amounted to less than 1%.

2017

A smartphone-blasting virus has appeared

In December 2017, Kaspersky Lab announced the discovery of the Loapi virus, which, by infecting a smartphone, can heat it to such an extent that a fire occurs. Read more here.

Google Play booms Trojans masquerading as mobile bank apps

Group-IB at the end of November 2017 noted a wave of mass distribution of Trojans masquerading as mobile applications of the country's leading banks. Group-IB specialists block the resources from which these applications are distributed, but their volume is constantly growing.

Group-IB: fake applications for Android are made at a very high level - both in design and in the mechanics of infection

Trojans designed for mobile devices under control OS Android are distributed not through the official store, but Google Play through advertisements in search engines.

File:Aquote1.png
Android is the main target of virus writers simply because of its prevalence - the vast majority of smartphones in the world run this system, - notes Roman Ginyatullin, information security expert at SEQ (formerly SEC Consult Services). - And more than 97% of malware is written specifically for Android, since, firstly, the level of protection of Google Play is still inferior to the security of the official iOS app store, and secondly, installing applications for Android from unofficial sources is much easier than for iOS.
File:Aquote2.png

Attackers were able to bring their applications to the first lines of search engines using SEO. In response to user requests of the format "download the application of ХХХ Bank" on the first pages of search engines, they displayed messages leading to applications infected with Trojans.

File:Aquote1.png
Most users did not even stop the fact that in order to install such programs, they need to allow the installation of applications from untrusted sources in the security settings of their devices, the Group-IB publication says. - As a rule, the operating system warns about the danger of such an approach immediately after obtaining the user's consent. However, in this case, the victims of the phishing attack agreed to take all the risks.
File:Aquote2.png

Group-IB experts noted that fake applications were performed at a very high level - both in design and in the mechanics of infection. This confuses many users who do not pay attention to suspicious "little things," such as a dubious domain name, redirection to a third-party resource, and so on.

Malicious applications required permission to read and send SMS messages and, of course, the login and password from the personal account and the details of the payment card. As a result, the operators of the malicious application transferred money from the victim's account to their resources, at the same time "suppressing" the receipt of SMS messages from the bank informing about fraudulent transactions.

Group-IB experts were able to establish that the distributor of the current banking Trojans could be associated with the author of fraudulent resources for the sale of air tickets, with which Group-IB actively fought in late 2016 - early 2017 (then more than three dozen such resources were closed).[19]

How to distinguish fake apps from genuine ones

  1. Official apps will only be distributed via Google Play; download links are published on the websites of the banks themselves. If applications are placed elsewhere, this is most likely fake.
  2. Special attention should be paid to the domain names from where the application is offered to be downloaded. Attackers often use domains whose names are similar to official ones, but differ by one or two characters, or use second-level domains below.
  3. Smartphones are equipped with protection measures against the most common threats, and if a smartphone displays a message that this or that application carries a threat, in no case should you install it. If fake banking apps are found, it is strongly recommended that you notify bank security about them. This will save users from themselves and others from many troubles.
  4. If you notice anything suspicious on the site from which you are invited to download the application, immediately report it to the bank's security service or to the bank's official social media group, not forgetting to attach a screenshot.

CryptoShuffler Trojan stole $140,000 worth of bitcoins

Kaspersky Lab experts in early November 2017 discovered a Trojan that steals cryptocurrency from users' wallets. The attackers targeted Bitcoin, Ethereum, Zcash, Dash, Monero and others.

According to the observations of Kaspersky Lab researchers, the authors of the Trojan, called CryptoShuffler, were most successful in attacking Bitcoin wallets, stealing a total of about $140 thousand. By comparison, stolen amounts in other cryptocurrencies range from a few dollars to several thousand.

Wallets corresponding to the specified cryptocurrencies are sewn directly in the body of the Trojan. The basic list is as follows:

According to the company's experts, the principle of operation of the malware is quite simple: it exploits human inattention. As you know, in order to transfer money from one crypto wallet to another, the user needs to specify the recipient's identification number. It consists of many characters, so it is almost impossible to remember it. As a result, the operation is performed by the copy-paste function. It is at this stage that CryptoShuffler is activated. After downloading, he begins to monitor the device's clipboard and, when he discovers the alleged address of the wallet there, replaces it with his own. As a result, if the user does not notice the forgery, the money is sent directly to the attackers.

The malware is able to easily determine that it was the address of the cryptocurrency wallet that got into the buffer - most of them have a standard form with a fixed length and a predetermined start. The buffer content is replaced using the OpenClipboard\GetClipboardData\SetClipboardData API bundle of functions.

Kaspersky Lab products define this Trojan as Trojan-Banker.Win32.CryptoShuffler.gen.

Trojan ransomware paralyzed the work of an entire city in the United States

The administration of Licking County in Ohio in February was forced to disconnect its servers and telephone systems in order to stop the spread of the Cnews ransomware Trojan[20].

It became known that more than a thousand computers in the United States belonging to the networks of the administration of one of the American districts were infected. All systems were shut down to block further spread of the malware, prevent data loss and preserve evidence for investigation.

All reception and administrative institutions work, but working with them is possible only with a personal visit.

Administration officials do not name the size of the required ransom; they also refuse to comment on the likelihood of a payout. According to Tim Bubb, a member of the Licking District Commission, consultations with cybersecurity experts and law enforcement agencies are underway.

Manual mode

The disconnection of telephone lines and network communications means that all county services in whose work information technology is involved have switched to "manual mode." This even applies to the 911 assistance center: the phones and walkie-talkies of rescuers work, but there is no access to computers. At least calls from police, firefighters and ambulances are still being received, but as rescue centre director Sean Grady put it, the service's work as far as call speed is concerned has been pushed back a quarter of a century.

More than 500 million users at gunpoint of the SpyDealer Andriod Trojan

Experts information security in the field from Palo Alto Networks July revealed trojan SpyDealer, capable of stealing the personal data of users of more than 500 million devices working under. OS Android The malware uses popular and messengers SMS recorded user phone conversations for this. In addition, the Trojan can take photos from the infected person's camera. smartphone[21] Trojan[22]

SpyDealer is distributed through the GoogleService and GoogleUpdate platforms, as well as unprotected Wi-Fi connections, which are most often in public places. Once penetrated and installed on the device, SpyDealer begins to monitor all downloads and wireless status. The malware is managed using SMS commands, the number of which reaches 50. By executing commands transmitted from the remote server, the Trojan can steal any personal user data, including phone number, IMEI, IMSI, SMS and MMS data, contact list, geolocation data and information about current wireless connections. Message interception is carried out using special Android functions - AccessibilityService.

Users of WeChat, WhatsApp, Skype, Line, Viber, QQ, Tango, Telegram, Sina Weibo, Tencent Weibo and Facebook Messenger were in the crosshairs of the malware. In addition, users of the pre-installed Android browser, Firefox and Oupeng browsers, QQ Mail, NetEase Mail, Taobao and Baidu Net Disk mail clients are at risk.

SpyDealer will be able to answer phone calls from a given number, record telephone conversations and take unauthorized pictures by the user from both cameras of the smartphone. In total, there are more than 40 applications to which the Trojan has access. Thus, SpyDealer, according to researchers, can serve as an "ideal spy" who can not only steal information, but also spy on his victim.

Currently, the largest number of users affected by SpyDealer is concentrated in China, most of the command servers are located in the same country (however, there are servers in the USA). Smartphones with Android OS versions 2.2 to 4.4 are most at risk, fixes have been made for subsequent versions and some threats have been eliminated. However, SpyDealer is able to steal information from smartphones running Android 5 and higher.

According to experts, there are currently about 2 billion Android smartphones in the world, among which about a quarter are running outdated versions of the operating system. Consequently, about 500 million users are at risk of being attacked by the SpyDealer Trojan. At the same time, SpyDealer is developing and optimizing dynamically, and in the future it may be able to attack smartphones running the latest versions of Android OS, Palo Alto Networks believes.

2016: Banking Trojan attacks smartphones as it pretends to be popular apps

Comodo Group researchers have identified a new version of the Tordow banking malware that attacks users in Russia. The Trojan is trying to gain root privileges on the device, which makes fighting it extremely problematic. Read more here.

2011: Carberp is the most common banking Trojan

As of November 2011, Russia is the absolute leader in the number of incidents in the field of information security using the banking Trojan virus Carberp - 72% of the total number in different countries, the Russian Center for Virus Research and Analytics of ESET reported in its report . Read more here.

Links

Notes

  1. [https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/preview/ex-cobalt-go-red-tehnika-skrytogo-tunnelya/ ExCobalt: GoRed
  2. - a hidden tunnel technique]
  3. Vulnerability SymStealer has put every Google Chrome user at risk
  4. The updated Pakistani Trojan ReverseRAT is aimed at Indian government agencies.
  5. and Troyan Qakbot Ave. is now distributed inside SVG images
  6. the Harly Trojan continues the case of the infamous Jocker
  7. RAT Trojan developer has posted its source code on GitHub.
  8. CVE-2022-30190 Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability
  9. CVE-2022-30190 Vulnerability (Follina) in MSDT: Description and Counteraction
  10. About Processes and Flows
  11. Woody RAT: A new feature-rich malware spotted in the wild
  12. [https://www.securitylab.ru/news/532051.php of FluBot
  13. defeated: special services take control of the malware infrastructure that threatened billions of Android users]
  14. Rats attack: Secretive Nerbian RAT seen in attacks across Europe
  15. A new Trojan for remote access, Borat, has appeared on the darknet
  16. of the Android Trojan TeaBot continues its triumphant march across the planet.
  17. [https://www.esetnod32.ru/company/press/center/eset-bankovskiy-troyan-ispolzoval-youtube-dlya-krazhi-kriptovalyuty/ YouTube ESET
  18. the banking Trojan used YouTube to steal ]cryptocurrency
  19. Group-IB records growth in the distribution of fake mobile applications of banks
  20. : The ransomware Trojan paralyzed the work of an entire city in the United States
  21. [http://24gadget.ru/1161065038-troyan-spydealer-pohischaet-dannye-iz-android-prilozheniy.html SpyDealer
  22. steals data from Android apps]