Rapid spreading Windows attack drops mining malware over ransomware

The ransomware menace is not over but cybercriminals on Tuesday showed yet again that even when half a million vulnerable PCs are at stake, a cryptocurrency miner is the payload of choice.  

Microsoft on Wednesday touted a defensive victory over a fast-moving campaign that could have caused half a million PCs, unbeknownst to their owners, to work double-time on mining cryptocurrency for the sole benefit of cybercriminals. 

The plot was foiled by Microsoft’s cloud machine learning models that support Windows Defender antivirus, which quickly detected a surge in potential infections of a downloader trojan called Dofoil. 

Microsoft blocked 80,000 Dofoil infection attempts on Tuesday, and over a 12 hour period after the initial attack blocked over 400,000 further infection attempts. 

Dofoil, also known as Smoke Loader, can deliver any payload and historically has installed banking trojans and ransomware but on this week’s menu was mining malware that uses a CPU’s capacity to mine Electroneum coins. It does this without PC owner’s permission or compensation for the extra labor carried out by the PC.  

While overworking a CPU might seem harmless compared to fe encrypting ransomware, Microsoft took the outbreak seriously because the Dofoil infections could have delivered ransomware. 

“We made this a high priority because Dofoil/Smokeloader can drop a lot of payloads. What we did wasn't just to disrupt a 'relatively harmless' mining campaign, but to detect and interrupt a distribution vector that could just as easily have delivered ransomware to those targets,” Microsoft Windows Defender researcher Jessica Payne noted on Twitter

According to Microsoft, 73 percent of attempted Dofoil infections on Wednesday occurred in Russia, while 18 percent occurred in Turkey and and 4 percent in Ukraine. 

The Dofoil malware uses a technique called “process hollowing" to replace legitimate Windows binaries with look-a-like copies, only with malicious functionality.

Researchers at Kaspersky have also observed process hollowing used in campaigns to spread cryptocurrency miners. Victims were infected after being encountering adware and installing a bogus version of a legitimate app. 

Kaspersky noted it was difficult for antivirus to detect the malware because it triggered a system reboot when the victim attempted to kill the process through Task Manager. 

Join the newsletter!

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags malwareWindowsransomwareBitcoin

More about KasperskyMicrosoftTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

More videos

Blog Posts