Two days ago, Microsoft encountered a rapidly spreading cryptocurrency-mining malware which infected almost 500,000 computers within just 12 hours as well as successfully blocked the idea to a large extent.
Dubbed Dofoil, aka Smoke Loader, the malware was found dropping a cryptocurrency miner program as payload on infected Windows computers which mines Electroneum coins, yet another cryptocurrency, for attackers using victims’ CPUs.
On March 6, Windows Defender suddenly detected more than 80,000 instances of several variants of Dofoil which raised the alarm at Microsoft Windows Defender research department, as well as within the next 12 hours, over 400,000 instances were recorded.
The research team found which all these instances, rapidly spreading across Russia, Turkey, as well as Ukraine, were carrying a digital coin-mining payload, which masqueraded as a legitimate Windows binary to evade detection.
However, Microsoft has not mentioned how these instances were delivered to such a massive audience at the first place in This specific short period.
Dofoil uses a customized mining application which can mine different cryptocurrencies, yet in This specific campaign, the malware was programmed to mine Electroneum coins only.
According to the researchers, Dofoil trojan uses an old code injection technique called ‘process hollowing’ which which involves spawning a fresh instance of a legitimate process having a malicious one in order which the second code runs instead of the original, tricking process monitoring tools as well as antivirus into believing which the original process is actually running.
“The hollowed explorer.exe process then spins up a second malicious instance, which drops as well as runs a coin mining malware masquerading as a legitimate Windows binary, wuauclt.exe.”
To stay persistence on an infected system for a long time to mine Electroneum coins using stolen computer resources, Dofoil trojan modifies the Windows registry.
“The hollowed explorer.exe process creates a copy of the original malware inside Roaming AppData folder as well as renames the idea to ditereah.exe,” the researchers say. “the idea then creates a registry key or modifies an existing one to point to the newly created malware copy. inside sample we analyzed, the malware modified the OneDrive Run key.”
Dofoil also connects to a remote command as well as control (C&C) server hosted on decentralized Namecoin network infrastructure as well as listens for fresh commands, including the installation of additional malware.
Microsoft says behavior monitoring as well as Artificial intelligence based machine learning techniques used by Windows Defender Antivirus have played an important role to detect as well as block This specific massive malware campaign.