A rapidly spreading cryptocurrency mining malware infected nearly 500,000 Microsoft Windows PCs in just 12 hours time period. The cryptocurrency mining malware also known as Dofoil or Smoke Loader was detected distributing a cryptocurrency miner application as payload on compromised PCs. These miners use victims’ CPUs in order to mine Electroneum coins as well as another cryptocurrency for attackers behind the malware.
Last week, Windows Defender Security software suddenly identified more than 80,000 samples of few versions of the Dofoil trojan. The instance increased the warning at Microsoft Windows Defender research department. In less than 21 hours more than 400,000 cases of infection were detected.
The research team at Microsoft indicated that all these incidents rapidly distributing a cryptocurrency mining payload across users located in several countries including Russia, Turkey, and Ukraine. The digital coin-mining payload is masked as a legitimate Windows binary in order to avoid detection.
Unfortunately, the research team did not mention how these infections were spread through such a huge volume of devices in such a short period of times.
Dofiol applies a customized crypto-mining program which is able to mine different cryptocurrencies, even though in this malicious attack the application was programmed to mine Electroneum.
Researchers noted that Dofoil trojan uses relatively old injection method which is known as process hollowing. The method combines multiplying a new sample of a legitimate process with a malicious one. As a result, the malicious code runs instead of the original but the monitoring tools and antivirus engines are tricked into believing that the original process is running.
The Dofoil trojan adjusts the Windows registry in order to stay persistence while mining Electroneum using infected computer’s resources.
The hollowed explorer.exe process creates a copy of the original malware in the Roaming AppData folder and renames it to ditereah.exe,” the researchers say. “It then creates a registry key or modifies an existing one to point to the newly created malware copy. In the sample we analyzed, the malware modified the OneDrive Run key.
The trojan is able to connect to a command and control or C&C server which is hosted on decentralized Namecin network infrastructure. This way the malware listen for new commands that combine installation of more malicious software.
Microsoft adds that the behavior monitoring and Artificial intelligence based machine learning techniques that apply Microsoft built-in Windows Defender security software has a huge impact on detecting and stopping Dofoil trojan campaign.