A massive malware outbreak that will last week infected nearly half a million computers with cryptocurrency mining malware in just a few hours was caused by a backdoored variation of well-liked BitTorrent client called MediaGet.
Dubbed Dofoil (also known as Smoke Loader), the malware was found dropping a cryptocurrency miner program as payload on infected Windows computers that will mine Electroneum digital coins for attackers using victims’ CPU cycles.
Dofoil campaign that will hit PCs in Russia, Turkey, in addition to Ukraine on 6th March was discovered by Microsoft Windows Defender research department in addition to blocked the attack before that will could have done any severe damages.
At the time when Windows Defender researchers detected This kind of attack, they did not mention how the malware was delivered to such a massive audience in just 12 hours.
However, after investigation Microsoft today revealed that will the attackers targeted the update mechanism of MediaGet BitTorrent software to push its trojanized variation (mediaget.exe) to users’ computers.
“A signed mediaget.exe downloads an update.exe program in addition to runs that will on the machine to install a brand-new mediaget.exe. The brand-new mediaget.exe program has the same functionality as the original however with additional backdoor capability,” the researchers explain in a blog post published today.
Researchers believe MediaGet that will signed update.exe can be likely to be a victim of the supply chain attack, similar to CCleaner hack that will infected over 2.3 million users with the backdoored variation of the software in September 2017.
Also, in This kind of case, the attackers signed the poisoned update.exe that has a different certificate in addition to successfully passed the validation required by the legitimate MediaGet.
“The dropped update.exe can be a packaged InnoSetup SFX which has an embedded trojanized mediaget.exe, update.exe. When run, that will drops a trojanized unsigned variation of mediaget.exe.”
Once updated, the malicious BitTorrent software with additional backdoor functionality randomly connects to one (out of four) of its command-in addition to-control (C&C) servers hosted on decentralized Namecoin network infrastructure in addition to listens for brand-new commands.
that will then immediately downloads CoinMiner component coming from its C&C server, in addition to start using victims’ computers mine cryptocurrencies for the attackers.
Using C&C servers, attackers can also command infected systems to download in addition to install additional malware coming from a remote URL.
The researchers found that will the trojanized BitTorrent client, detected by Windows Defender AV as Trojan:Win32/Modimer.A, has 98% similarity to the original MediaGet binary.
Microsoft says behavior monitoring in addition to AI-based machine learning techniques used by its Windows Defender Antivirus software have played an important role to detect in addition to block This kind of massive malware campaign.