The malware tried to replace legitimate Windows platform processes on users’ machines by injecting or infecting them with illegal code. It could then return them to masquerade as legitimate processes while mining cryptocurrency. Microsoft says most of the attacks took place in Russia.
A massive Dofoil Trojan attack this week targeted to install crypto mining malware on 400,000 Windows PCs but was stopped by Windows Defender antivirus software.
This is according to Microsoft through a blog post dated March 7. Microsoft says their software blocked more than 80,000 trojan instances before noon of March 6. These trojans are new variants of Dofoil, also known as Smoke Loader.
Moreover, 73 percent of the more than 400,000 instances recorded were in Russia while Turkey accounted for 18% and Ukraine 4%.
Dofoil first tried to inject malicious code on explorer.exe by spawning a new instance of the legitimate process ( c:\windows\syswow64\explorer.exe). It then decided to replace the legitimate process with the new spun version. The twisted version of explorer.exe then would try to spin up a second malicious instance and then drop a coin mining malware masquerading as a legitimate Windows binary, wuauclt.exe.
The blog says,
“For coin miner malware, persistence is key. These types of malware employ various techniques to stay undetected for long periods of time to mine coins using stolen computer resources.”
The trojan was flagged as a threat through behavior monitoring on the antivirus. Later, multiple metadata-based machine learning models in the cloud started blocking the trojan. It was then confirmes as a threat and notified to Microsoft through the anomaly detection alert. The response team later included the trojan in the malware families.
Apparently, users of Windows 10, Windows 8.1, and Windows 7 are protected against the new illegal mining software. The Windows Defender antivirus uses Artificial intelligence according to the company.
The attack verifies the latest fears among security experts that most people seeking to exploit computer owners and users are now deploying coin miners instead of ransomware.
Therefore, the trend is to add coin mining scripts in tech support scam websites secretly. Some banking trojan families are also adding coin mining behavior.
This is another attempt to exploit computer resources illegally using coin miners. Other recent efforts comprised use of Coinhive malware. Another previous exploit included the use of Loapi; an Android malware spread through ad campaigns and app stores.