The malware campaign dubbed Dofoil (also known as Smoke Loader) was discovered carrying a coin miner payload on infected Windows computers that mine Electroneum digital coins for attackers using victims’ CPUs. The massive malware outbreak took place on last Tuesday, March 6 when the Windows Defender Antivirus (AV) team suddenly detected more than 80,000 instances of several variants of Dofoil. Within the next 12 hours, more than 400,000 instances were recorded. Microsoft’s Windows Defender research department sprang into action using its behavior monitoring and AI-based machine learning techniques to detect and block the attack within milliseconds before it could cause any more severe damages. In an in-depth report published by Microsoft, engineers at the firm’s Window Defender research department revealed that its anti-virus system detected “several sophisticated trojans” spreading rapidly across Russia, Turkey and Ukraine. However, there was no mention in the report on how the malware was delivered to such a huge audience in just 12 hours. On further investigation, the Windows Defender team found that most of the malicious files were written by a process called mediaget.exe. “This process is related to MediaGet, a BitTorrent client that we classify as potentially unwanted application (PUA). MediaGet is often used by people looking to download programs or media from websites with dubious reputation. Downloading through peer-to-peer file-sharing apps like this can increase the risk of downloading malware,” the Windows Defender team said in its new report. The attackers pushed its trojanized version (mediaget.exe) to users’ computers by targeting the update mechanism of MediaGet BitTorrent software. According to Microsoft, it was a “carefully planned attack” by attackers that was implemented in mid-February, about a fortnight before the malware was distributed. “To set the stage for the outbreak, attackers performed an update poisoning campaign that installed a trojanized version of MediaGet on computers,” the Windows Defender Research team wrote. “A signed mediaget.exe downloads an update.exe program and runs it on the machine to install a new mediaget.exe. The new mediaget.exe program has the same functionality as the original but with additional backdoor capability,” the researchers added. The attackers signed the poisoned update.exe with a different certificate to successfully pass the validation required by the legitimate MediaGet. In this case, the third-party company that signed update.exe is likely to be a victim, believes Microsoft. “The dropped update.exe is a packaged InnoSetup SFX which has an embedded trojanized mediaget.exe, update.exe. When run, it drops a trojanized unsigned version of mediaget.exe. The researchers found that the trojanized BitTorrent client, detected by Windows Defender AV as Trojan:Win32/Modimer.A, is 98 percent like the legit MediaGet binary. It shows the same functionality as the original one, but it is not signed by any parties and has additional backdoor functionality. Once updated, the malicious BitTorrent software with additional backdoor functionality randomly connects to one of the four C&C (command-and-control) servers hosted on decentralized Namecoin network infrastructure and listens for new commands. It then instantly downloads CoinMiner component from its C&C server, and starts using victims’ computers to mine cryptocurrencies for the attackers. The attackers can also command infected systems to download and install additional malware from a remote URL using the C&C servers. The Dofoil variant used in the attack showed advanced cross-process injection techniques, persistence mechanisms, and evasion methods. All those users who are running Windows Defender AV or Microsoft Security Essentials on Windows 10, Windows 8.1, and Windows 7 are protected from this latest outbreak. Source: THN, ZDNet