Three days ago Microsoft encountered a fast spreading crypto-mining malware that infected almost 500,000 PC’s in only twelve hours and then successfully blocked it.
Named Dofoil – aka Smoke Loader – this malware was found dropping a cryptocurrency mining program as payload on infected Windows PC’s that then mines Electroneum coins – another cryptocurrency – for hackers using victims’ CPUs.
On March 6th, Windows Defender suddenly detected over eighty thousand instances of several versions of Dofoil that raised the alert at the Microsoft Windows Defender research department, and then within only the next twelve hours, over 380,000 instances were recorded.
The research team then discovered that all these occurrences, which were rapidly spreading across Turkey, Russia, and the Ukraine, were carrying a virtual crypto-mining payload, which was disguised as a legitimate Windows binary to evade detection.
Microsoft did not mention how these events were delivered to such a large audience in the first place in this short of a time period.
Dofoil uses a customized mining app which can mine various cryptocurrencies, however in this particular campaign, the malware was programmed to mine Electroneum coins specifically.
According to researchers, the Dofoil trojan uses an older code injection technique known as ‘process hollowing’ which involves spawning a new occurrence of a legitimate process with a malicious one – so that the second code runs instead of the original, essentially fooling process monitoring tools as well as antivirus programs into believing that the original process is running.
“The hollowed explorer.exe process then offers up a second malicious instance which then drops and runs a crypto mining malware disguised as a legitimate Windows binary, wuauclt.exe.”
To remain persistent on an infected system for a long period of time to mine Electroneum by using hijacked computer resources, the Dofoil trojan modifies the Windows registry as such:
“The hollowed out explorer.exe process creates a copy of the original malware in the Roaming AppData folder and then renames it to ditereah.exe,” the researchers stated. “It then creates a registry key or simply modifies an existing one to point to the newly minted malware copy. In the sample that we analyzed, the malware modified the OneDrive Run key.”
Dofoil also connects to a remote C&C server hosted on decentralized Namecoin network infrastructure and then listens patiently for new commands (including the installation of more malware).
Microsoft further stated that “behavior monitoring” and AI based machine learning techniques used by Windows Defender Antivirus played a significant role in order to detect and then block this huge and daunting malware campaign.