Microsoft blocks a malware outbreak that could have earned big bucks for one criminal group.
Microsoft has blocked a rapidly spreading malware outbreak that could have infected nearly 500,000 Windows PCs within hours on March 6.
The trojan, dubbed Dofoil or Smoke Loader, was designed deliver a range of payloads but in this case dropped a cryptocurrency miner on infected PCs to earn the attackers Electroneum coins from victims’ CPUs.
Microsoft’s Windows Defender antivirus initially detected 80,000 instances of several trojans with this payload at noon PST on March 6. Over the next 12 hours, Windows Defender detected over 400,000 encounters with the trojan, predominantly in Russia, but also in Turkey and Ukraine.
Microsoft explains that the Dofoil trojan performs a fancy trick called ‘process hollowing’ on the legitimate explorer.exe binary. The technique creates a new instance of the legitimate binary but swaps out its code with malware.
“The hollowed explorer.exe process then spins up a second malicious instance, which drops and runs a coin-mining malware masquerading as a legitimate Windows binary, wuauclt.exe,” explained Mark Simos, a cybersecurity architect at Microsoft.
Kaspersky researchers observed sophisticated attackers using the process-hollowing technique to deliver miners that earned them millions of dollars in the second half of 2017.
Process hollowing is useful because antivirus often mistakes it for harmless software. Kaspersky said victims are typically infected after downloading legit-looking software.
To maintain a position on an infected PC, Dofoil tweaks the Windows registry after process-hollowing explorer.exe.
“The hollowed explorer.exe process creates a copy of the original malware in the Roaming AppData folder and renames it to ditereah.exe. It then creates a registry key or modifies an existing one to point to the newly created malware copy. In the sample we analyzed, the malware modified the OneDrive Run key,” wrote Simos.
Cryptocurrency mining may be even more lucrative to attackers than 2017’s main menace, file-encrypting ransomware. A key advantage of coin miners is that there’s less risk of the attacker’s infection failing to pay off, according to Renato Marinho, chief research officer of Morphus Labs.
Marinho in January discovered attackers exploiting vulnerable Oracle WebLogic servers, and while they could have installed ransomware or a data stealer, they opted to exclusively use the compromised servers to mine Monero, earning them over $200,000 in a matter of months.
“In my opinion, they are probably shifting from ransomware to mining, as with ransomware they do not have guarantees that they will receive the ransom while miners do not call much attention,” Marinho told ZDNet.
The WebLogic attack was relatively small scale compared with another campaign Marinho discovered in January, which had used a network of compromised machines to generate 4,273 Monero, at the time worth around $1.7m and today worth $1.3m.