The outbreak happened last Tuesday, on March 6. Microsoft said that the Windows Defender team picked up and stopped a massive malware operation that came out of the blue and attempted to infect mostly Russian and Turkish users with the Dofoil (Smoke Loader) trojan.
Microsoft published an in-depth report of how the malware operated, revealing Dofoil would later try to download and install a Monero miner.
At the time, Microsoft did not reveal how Dofoil landed on users' computers, mainly because it was not entirely sure. Now, the company has published more details, and according to the Windows Defender team, the Dofoil malware landed on users' computers via a file named my.dat, created by mediaget.exe —the MediaGet BitTorrent client's binary.
"Our continued investigation on the Dofoil outbreak revealed that the March 6 campaign was a carefully planned attack with initial groundwork dating back to mid-February," the Windows Defender team said today in a new report.
Microsoft alleges hackers broke into MediaGet's infrastructure, and sometimes between February 12 and 19, attackers managed to replace the official MediaGet installer with one that also included a backdoor.
Hackers then allowed for a two-week window so users would install or update to the new MediaGet versions, the one containing the backdoor.
Attackers started running first tests on March 1, by using the backdoor to plant malware on users' computers and sprung their main attack on March 6, when they delivered the Dofoil+coinminer malware combo.
During their attack, crooks also used a stolen digital certificate to sign the poisoned MediaGet update, in an attempt to avoid detection.
Microsoft said it notified both MediaGet and the company's whose certificate crooks have abused. Bleeping Computer could not reach MediaGet for additional comments on the incident, mainly to clarify how hackers broke into their network.
This incident is not the first time when hackers broke into websites to poison a BitTorrent client with malware. Previously, hackers breached the site of the Transmission BitTorrent client on two separate occasions. First, they distributed the KeRanger ransomware, and later the Keydnap infostealer malware, both incidents aimed at Mac users.
Image credits: Microsoft