Dofoil

Microsoft revealed today that Windows Defender stopped a massive malware distribution campaign that attempted to infect over 400,000 users with a cryptocurrency miner during a 12-hour period on March 6, 2018.

The Redmond-based OS maker attributes the detections to computers infected with the Dofoil malware —also known as Smoke Loader— a popular malware downloader.

Three-quarters of infection attempts detected in Russia

"Just before noon on March 6 (PST), Windows Defender AV blocked more than 80,000 instances of several sophisticated trojans that exhibited advanced cross-process injection techniques, persistence mechanisms, and evasion methods," said the Windows Defender Research team.

"Within the next 12 hours, more than 400,000 instances were recorded, 73% of which were in Russia. Turkey accounted for 18% and Ukraine 4% of the global encounters," researchers added.

Microsoft credits the immediate discovery of this trojan to its behavior-based and cloud-powered machine learning models included with Windows Defender.

The OS maker claims that its machine learning models picked up the new malware within milliseconds, classified the threat as malicious within seconds, and was actively blocking it within minutes.

"People affected by these infection attempts early in the campaign would have seen blocks under machine learning names like Fuery, Fuerboos, Cloxer, or Azden. Later blocks show as the proper family names, Dofoil or Coinminer," the Windows Defender Research team said.

Malware C&C servers located on Namecoin network

Microsoft says this new Dofoil variant attempted to hollow the legitimate OS process explorer.exe to inject malicious code.

The role of this malicious code was to spin off a second explorer.exe process that would download and run a cryptocurrency miner (coinminer) that was masquerading as a legitimate Windows binary —wuauclt.exe.

Microsoft says that Windows Defender picked up this operation as malicious because even though wuauclt.exe was a legitimate Windows binary, it was running from the wrong disk location.

Furthermore, the binary also generated suspicious traffic, as the coinminer attempted to contact its command and control (C&C) server, located on the decentralized Namecoin network infrastructure. This coinminer isn't the only recent malware family that stored C&C servers on Namecoin's .bit domains, with the first versions of the GandCrab ransomware doing the same.

Malware tried to mine Electroneum

Microsoft says the coinminer tried to mine the Electroneum cryptocurrency.

Windows 10, Windows 8.1, and Windows 7 users running the Windows Defender AV or Microsoft Security Essentials security software were automatically protected, Microsoft said.

Other antivirus vendors also most likely picked up this threat, as Dofoil (Smoke Loader) is a well-known malware strain that's been extremely active since 2014.

Related Articles:

WinstarNssmMiner Coinminer Campaign Makes 500,000 Victims in Three Days

Malicious Package Found on the Ubuntu Snap Store

CoinMiner Campaigns Move to the Cloud via Docker, Kubernetes

Around 5% of All Monero Currently in Circulation Has Been Mined Using Malware

CryptoCurrency Miner Plays Hide-and-seek with Popular Games and Tools