Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Malware trends: eBPF exploitation, malware configurations stored in unexpected places, and increased use of custom post-exploitation tools

An investigation into an information security incident has allowed virus analysts at Doctor Web to uncover an ongoing campaign that incorporates many modern trends employed by cybercriminals.
10.12.2024 | Real-time threat news

Malicious apps on Google Play: how threat actors use the DNS protocol to covertly connect trojans to C&C servers

Many Android.FakeApp trojans are tasked with opening links to various sites, and from a technical point of view, such malware programs are quite primitive. When launched, they receive a command to load a specific web address. As a result, the users who have installed them see the contents of some unwanted site on their screens instead of the program or game they are expecting. However, sometimes notable samples can emerge among such fake applications: Android.FakeApp.1669, for example. It differs from most of the threats that are similar to it in that it uses a modified dnsjava library to get the configuration from a malicious DNS server that contains the target link. At the same time, such a configuration is sent to the trojan only when it is connected to the Internet via certain service providers—mobile Internet providers, for example. In other cases, the trojan does not manifest itself in any way.
11.11.2024 | Real-time threat news

Hidden cryptocurrency mining and theft campaign affected over 28,000 users

Virus analysts at Doctor Web have identified a large-scale campaign aimed at spreading cryptomining and cryptostealing malware by delivering trojans to victims' computers under the guise of office programs, game cheats, and online trading bots.
08.10.2024 | Real-time threat news

Redis honeypot: server with vulnerable Redis database reveals new SkidMap modification used to hide cryptocurrency mining process

Doctor Web virus analysts have identified a new rootkit modification that installs the Skidmap mining trojan on compromised Linux machines. This rootkit is designed as a malicious kernel module that hides the miner’s activity by providing fake information about CPU usage and network activity. This attack appears to be indiscriminate, primarily targeting the enterprise sector—large servers and cloud environments—where mining efficiency can be maximized.
03.10.2024 | Real-time threat news

Doctor Web resumed virus database updates after the attack on its infrastructure

Now that the dangerous situation involving the attack on Doctor Web's infrastructure has been resolved successfully, we're happy to bring you up to speed on the latest developments and present the security incident's complete timeline.
18.09.2024 | Real-time threat news

Doctor Web's resources attacked



On Saturday, September 14, Doctor Web specialists recorded a targeted attack on the company's resources. The attempt to harm our infrastructure was prevented in a timely manner, and no user whose system was protected by Dr.Web was affected.
17.09.2024 | Real-time threat news

Void captures over a million Android TV boxes

Doctor Web experts have uncovered yet another case of an Android-based TV box infection. The malware, dubbed Android.Vo1d, has infected nearly 1.3 million devices belonging to users in 197 countries. It is a backdoor that puts its components in the system storage area and, when commanded by attackers, is capable of secretly downloading and installing third-party software.
12.09.2024 | Real-time threat news

Gaining persistence in a compromised system using Yandex Browser. Failed spear phishing attack on Russian rail freight operator.

Social engineering is a highly effective fraud technique that is difficult to withstand. A skilled attacker knows how to find the right approach to intimidate or persuade a victim to perform an action. But what if an attack requires little communication effort, and a computer stops being a digital assistant and becomes an unwitting accomplice?
04.09.2024 | Real-time threat news

Do shoot the messenger: Telegram-controlled backdoor trojan targets Linux servers

Doctor Web virus analysts exposed a Linux version of the well-known TgRat trojan, which is used for targeted attacks on computers. One notable feature of this trojan is that it is controlled via a Telegram bot.
04.07.2024 | Real-time threat news

Smart-sex-toy users targeted by clicker trojan

Virus analysts at Doctor Web uncovered an Android application containing a clicker trojan that silently opens advertising sites and clicks on webpages. Such trojans can be used to stealthily display ads, generate click fraud, sign up unsuspecting victims for paid subscriptions or launch DDoS attacks.
04.05.2024 | Real-time threat news

Study of a targeted attack on a Russian enterprise in the mechanical-engineering sector

In October 2023, Doctor Web was contacted by a Russian mechanical-engineering enterprise that suspected malware was on one of its computers. Our specialists investigated this incident and determined that the affected company had encountered a targeted attack. During this attack, malicious actors had sent phishing emails with an attachment containing the malicious program responsible for the initial system infection and installing other malicious instruments in the system.
11.03.2024 | Real-time threat news

Hidden crypto miner in pirated software makes cybercriminals rich at the expense of their victims

Doctor Web is reporting on an increase in cases of cryptocurrency-mining trojans being found hidden in pirated software that is available in Telegram and on some Internet sites.
15.01.2024 | Real-time threat news

Vulnerability in Openfire messaging software allows unauthorized access to compromised servers

Doctor Web is notifying users about the spread of malicious plugins for the Openfire messaging server. To date, more than 3,000 servers worldwide that have Openfire software installed on them have been affected by a vulnerability that lets hackers gain access to the file system and use the infected servers as part of a botnet.
25.09.2023 | Real-time threat news

The art of manipulation: fraudsters steal money with remote administration software for mobile devices

Doctor Web is reporting on the growing number of fraud cases involving remote desktop access applications. RustDesk is the most popular among attackers.
22.09.2023 | Real-time threat news

Android.Spy.Lydia trojans masquerade as an Iranian online trading platform

Doctor Web has detected new versions of the Android.Spy.Lydia trojans, which engage in a variety of spyware activities on infected Android devices and provide attackers with remote control capabilities to steal personal information and funds. Moreover, the trojans have a defense mechanism that checks whether they are being launched in an emulator or on a test device. In such cases, the trojans stop working.
13.09.2023 | Real-time threat news

Pandora's box is now open: the well-known Mirai trojan arrives in a new disguise to Android-based TV sets and TV boxes

Doctor Web has identified a family of Android.Pandora trojans that compromise Android devices, either during firmware updates or when applications for viewing pirated video content are installed. This backdoor inherited its advanced DDoS-attack capabilities from its ancestor, the well-known Linux.Mirai trojan.
06.09.2023 | Real-time threat news

Fruity trojan downloader performs multi-stage infection of Windows computers

Doctor Web has uncovered an attack on Windows users involving a modular downloader trojan dubbed Trojan.Fruity.1. With its help, threat actors can infect computers with different types of malware, depending on the attackers’ goals. To conceal an attack and increase the chances of it being successful, they use a variety of tricks. These include a multi-stage infection process for target systems, using harmless apps for launching components of the trojan, and trying to bypass anti-virus protection.
27.07.2023 | Real-time threat news

Doctor Web identifies pirated Windows builds with crypto stealer that penetrates EFI partition

Doctor Web has discovered a malicious clipper program in a number of unofficial Windows 10 builds that cybercriminals have been distributing via a torrent tracker. Dubbed Trojan.Clipper.231, this trojan app substitutes crypto wallet addresses in the clipboard with addresses provided by attackers. As of this moment, malicious actors have managed to steal cryptocurrency in an amount equivalent to about $19,000 US.
13.06.2023 | Real-time threat news

Android apps containing SpinOk module with spyware features installed over 421,000,000 times

Doctor Web discovered an Android software module with spyware functionality. It collects information on files stored on devices and is capable of transferring them to malicious actors. It can also substitute and upload clipboard contents to a remote server. Dubbed Android.Spy.SpinOk in accordance with Dr.Web classification, this module is distributed as a marketing SDK. Developers can embed it into all sorts of apps and games, including those available on Google Play.
29.05.2023 | Real-time threat news

Linux backdoor malware infects WordPress-based websites

Doctor Web has discovered a malicious Linux program that hacks websites based on a WordPress CMS. It exploits 30 vulnerabilities in a number of plugins and themes for this platform. If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted webpages are injected with malicious JavaScripts. As a result, when users click on any area of an attacked page, they are redirected to other sites.
30.12.2022 | Real-time threat news

Android users risk falling victim to fraudsters during online job searches

Doctor Web is alerting users to the emergence of malicious Android apps that attackers have disguised as job-search software. Through these applications, fraudsters can collect their victims’ personal information and steal money from them using deceptive techniques.
21.11.2022 | Real-time threat news

Banking trojans disguised as shopping apps attack Malaysian Android users

Doctor Web reports on the discovery of banking trojan apps that target Malaysian users. Malicious actors distribute them as mobile shopping apps. Unlike many other bankers, these not only have icons and basic store names, but also work just like such apps in order to look more plausible and not trigger any suspicions. These trojans steal logins and passwords from accounts of online banking systems. They also hijack SMS containing mobile TANs and one-time passwords that are used to confirm transactions. Moreover, they steal victims’ personal information, including their date of birth and mobile phone and identity card numbers.
19.10.2022 | Real-time threat news

Doctor Web identifies attack on WhatsApp and WhatsApp Business messengers installed on counterfeit Android devices

Doctor Web reports that it has discovered backdoors in the system partition of budget Android device models that are counterfeit versions of famous brand-name models. These trojans target arbitrary code execution in the WhatsApp and WhatsApp Business messaging apps and can potentially be used in different attack scenarios. Among them is the interception of chats and the theft of the confidential information that could be found in them; this malware can also execute spam campaigns and various scam schemes. This, however, is not the only risk factor for users. The affected devices are claimed to have a modern and secure Android OS version installed on them. But, in reality, they are based on an obsolete version subject to multiple vulnerabilities.
22.08.2022 | Real-time threat news

Study of an APT attack on a telecommunications company in Kazakhstan

In October 2021, one of Kazakhstan’s telecommunication companies contacted Doctor Web, with suspicion of malware in the corporate network. During the first look, we found backdoors that were previously only used in targeted attacks. During the investigation, we also found out that the company’s internal servers had been compromised since 2019. For several years, Backdoor.PlugX.93 and BackDoor.Whitebird.30, the Fast Reverse Proxy (FRP) utilities, and RemCom have been the main attackers' tools.
24.03.2022 | Real-time threat news

Mobile device users’ cryptocurrency is at risk

Doctor Web warns on the spread of trojan apps designed to steal cryptocurrency from mobile device users. The malicious software hijacks secret seed phrases that give access to crypto wallets. Users of both Android devices and Apple smartphones are at risk.
21.03.2022 | Real-time threat news