News: Massive Coin-Mining Attempt Targets Nearly Half a Million PCs

Started 1 week ago | Discussions thread
Flat view
ADMint Veteran Member • Posts: 4,191
News: Massive Coin-Mining Attempt Targets Nearly Half a Million PCs

For those worried about telemetry think again...

Massive Coin-Mining Attempt Targets Nearly Half a Million PCs

Microsoft has averted a massive and widespread campaign that would have seen tens of thousands of machines impacted.

The software giant reported that on March 6, "Windows Defender AV blocked more than 80,000 instances of several sophisticated Trojans that exhibited advanced cross-process injection techniques, persistence mechanisms and evasion methods." The Trojans, which are new variants of Dofoil (also known as Smoke Loader), carry a coin-miner payload. "Within the next 12 hours, more than 400,000 new instances were recorded, 73% of which were in Russia. Turkey accounted for 18% and Ukraine 4%," Microsoft stated.

Dofoil uses a customized mining application that supports a function called NiceHash, which means it can mine different cryptocurrencies. The samples Microsoft analyzed mined Electroneum coins. It burrowed into systems using a process called process hollowing.

“Process hollowing is a code injection technique that involves spawning a new instance of legitimate process...and then replacing the legitimate code with malware,” explained Mark Simos, lead cybersecurity architect for Microsoft’s enterprise cybersecurity group in a blog. “The hollowed explorer.exe process then spins up a second malicious instance, which drops and runs a coin mining malware masquerading as a legitimate Windows binary.”

The attack was picked up on thanks to its use of an unusual persistence mechanism, which triggered behavior-based alerts. For coin-miner malware, it’s required to stay undetected for long periods in order to mine enough coins to make the attack worth its while.

In this case, Dofoil modifies the registry.

“The hollowed explorer.exe process creates a copy of the original malware in the Roaming AppData folder and renames it to ditereah.exe,” Simos said. “It then creates a registry key or modifies an existing one to point to the newly created malware copy. In the sample we analyzed, the malware modified the OneDrive Run key.”

Dofoil is only the latest malware family to incorporate coin miners in attacks; it’s becoming a popular payload thanks to the skyrocketing value of Bitcoin and other cryptocurrencies. Exploit kits are now delivering coin miners instead of ransomware, scammers are adding coin-mining scripts into fake tech support websites, and some banking Trojans have added coin-mining behavior to their bags of tricks.

Source: Massive Coin-Mining Attempt Targets Nearly Half a Million PCs

Ten forums discussion - Microsoft (Telemetry) Foils Massive Coin-mining Exploit Attempt

How to Enable Windows Defender Block at First Sight in Windows 10 (those running 1709 will need to "Open Windows Security Center", click "Virus & Threat Protection", then "Virus & Threat Protections settings"). Anyway these setting should be set by default unless you've made changes.

For those using third party AV's see these articles...


-- hide signature --

Look kid, there’s the beginning and the end; all that stuff in the middle is positioning for where you finish.

 ADMint's gear list:ADMint's gear list
Nikon D800E Nikon AF-S Nikkor 17-35mm f/2.8D ED-IF Nikon AF Nikkor 50mm f/1.8D Nikon AF-S Nikkor 28-70mm f/2.8 ED-IF Nikon AF Nikkor 85mm f/1.4D +8 more
Flat view
Post (hide subjects) Posted by
Keyboard shortcuts:
FForum PPrevious NNext WNext unread UUpvote SSubscribe RReply QQuote BBookmark MMy threads
Color scheme? Blue / Yellow