Microsoft has stopped a large scale malware distribution campaign that tried to infect almost 500,000 Windows PCs with a cryptocurrency miner.
Windows Defender antivirus software detected 80,000 instances of several Trojans with the payload known as Dofoil or Smoke loader, at noon PST on March 6.
Over the next 12 hours, Defender picked up over 400,000 more encounters with the Trojan, mainly in Russia, but also in Turkey and Ukraine. Dofoil uses a technique known as 'process hollowing' on the legitimate explorer.exe binary. The technique creates a new instance of the legitimate prigram but swaps out its code with malware.
"To stay hidden, Dofoil modifies the registry," says Mark Simos, lead cyber security architect at Microsoft's Enterprise Cybersecurity Group, writing on the company's blog. "The hollowed explorer.exe process creates a copy of the original malware in the Roaming AppData folder and renames it to ditereah.exe. It then creates a registry key or modifies an existing one to point to the newly created malware copy. In the sample we analyzed, the malware modified the OneDrive Run key."
Other security experts have pointed out that the Dofoil code has many functions aimed at things beyond currency mining. Andy Norton, director of threat intelligence at breach visibility specialist Lastline says, "Having an AV tool that removes the malicious code, or reimaging an infected system would appear to be the correct course of action to remediate this threat, but Smoke loader is very much more than a simple downloader, it has many data theft functions that target credentials. If just 10 percent of those 400,000 devices (located mainly in Russia) got infected, we now have 4,000 devices that are now vulnerable to a much greater threat than just coin mining."
You can find out more about the attack on the Microsoft blog.