Microsoft has averted a massive and widespread campaign that would have seen tens of thousands of machines impacted.
The software giant reported that on March 6, “Windows Defender AV blocked more than 80,000 instances of several sophisticated Trojans that exhibited advanced cross-process injection techniques, persistence mechanisms and evasion methods.” The Trojans, which are new variants of Dofoil (also known as Smoke Loader), carry a coin-miner payload. “Within the next 12 hours, more than 400,000 new instances were recorded, 73% of which were in Russia. Turkey accounted for 18% and Ukraine 4%,” Microsoft stated.
Dofoil uses a customized mining application that supports a function called NiceHash, which means it can mine different cryptocurrencies. The samples Microsoft analyzed mined Electroneum coins. It burrowed into systems using a process called process hollowing.
“Process hollowing is a code injection technique that involves spawning a new instance of legitimate process…and then replacing the legitimate code with malware,” explained Mark Simos, lead cybersecurity architect for Microsoft’s enterprise cybersecurity group in a blog. “The hollowed explorer.exe process then spins up a second malicious instance, which drops and runs a coin mining malware masquerading as a legitimate Windows binary.”
The attack was picked up on thanks to its use of an unusual persistence mechanism, which triggered behavior-based alerts. For coin-miner malware, it’s required to stay undetected for long periods in order to mine enough coins to make the attack worth its while.
In this case, Dofoil modifies the registry.
“The hollowed explorer.exe process creates a copy of the original malware in the Roaming AppData folder and renames it to ditereah.exe,” Simos said. “It then creates a registry key or modifies an existing one to point to the newly created malware copy. In the sample we analyzed, the malware modified the OneDrive Run key.”
Dofoil is only the latest malware family to incorporate coin miners in attacks; it’s becoming a popular payload thanks to the skyrocketing value of Bitcoin and other cryptocurrencies. Exploit kits are now delivering coin miners instead of ransomware, scammers are adding coin-mining scripts into fake tech support websites, and some banking Trojans have added coin-mining behavior to their bags of tricks.