Rapidly spreading crypto-mining malware infected 500,000 machines

by Olivia Morelli - -

A rapidly spreading cryptocurrency mining malware infected nearly 500,000 Microsoft Windows PCs in just 12 hours time period. The cryptocurrency mining malware also known as Dofoil or Smoke Loader was detected distributing a cryptocurrency miner application as payload on compromised PCs. These miners use victims’ CPUs in order to mine Electroneum coins as well as another cryptocurrency for attackers behind the malware.[1]

Rapidly spreading Dofoil trojan

Last week, Windows Defender Security software suddenly identified more than 80,000 samples of few versions of the Dofoil trojan. The instance increased the warning at Microsoft Windows Defender research department. In less than 21 hours more than 400,000 cases of infection were detected. 

The research team at Microsoft indicated that all these incidents rapidly distributing a cryptocurrency mining payload across users located in several countries including Russia, Turkey, and Ukraine. The digital coin-mining payload is masked as a legitimate Windows binary in order to avoid detection. 

Unfortunately, the research team did not mention how these infections were spread through such a huge volume of devices in such a short period of times.

Dofiol applies a customized crypto-mining program which is able to mine different cryptocurrencies, even though in this malicious attack the application was programmed to mine Electroneum. 

Researchers noted that Dofoil trojan uses relatively old injection method which is known as process hollowing. The method combines multiplying a new sample of a legitimate process with a malicious one. As a result, the malicious code runs instead of the original but the monitoring tools and antivirus engines are tricked into believing that the original process is running. 

The Dofoil trojan adjusts the Windows registry in order to stay persistence while mining Electroneum using infected computer’s resources.[2]

The hollowed explorer.exe process creates a copy of the original malware in the Roaming AppData folder and renames it to ditereah.exe,” the researchers say. “It then creates a registry key or modifies an existing one to point to the newly created malware copy. In the sample we analyzed, the malware modified the OneDrive Run key.

The trojan is able to connect to a command and control or C&C server which is hosted on decentralized Namecin network infrastructure. This way the malware listen for new commands that combine installation of more malicious software. 

Microsoft adds that the behavior monitoring and Artificial intelligence based machine learning techniques that apply Microsoft built-in Windows Defender security software has a huge impact on detecting and stopping Dofoil trojan campaign. 


About the author

Olivia Morelli
Olivia Morelli - Senior Media writer

Olivia Morelli is a senior media writer on Reviewedbypro.com. Her favorite topic to write about is ransomware attacks and how to deal with them, but she also enjoys covering the topics of other types of malware and VPNs.

Contact Olivia Morelli
About the company Esolutions


  • Tomas Statkus

    What’s the better way to avoid it?

now online
Like us on Facebook