Windows Defender Puts The Kibosh On 80,000 Instances Of Cryptocurrency Mining Trojans

Windows Security Feature2 1920
Microsoft's Windows Defender was working hard this week, and according to Microsoft, just before noon on March 6 the AV suite put the brakes on 80,000 instances of several sophisticated trojans. These trojans were especially dastardly because they had advanced cross-process injection techniques, persistence mechanisms, and evasion methods. All the trojans are new versions of Dofoil (also known as Smoke Loader) and they carry a coin miner payload.

Microsoft wrote, "Within the next 12 hours, more than 400,000 instances were recorded, 73% of which were in Russia. Turkey accounted for 18% and Ukraine 4% of the global encounters."

Microsoft notes that Windows Defender AV flagged the "unusual persistence mechanism" of the attack via behavior monitoring and sent the information to the behavior-based signal to the cloud protection service. Microsoft notes that Windows 10, 8.1, and 7 users running Windows Defender AV or Microsoft Security Essentials are protected from this outbreak.

dofoil 1

Microsoft wrote, "Within milliseconds, multiple metadata-based machine learning models in the cloud started blocking these threats at first sight. After analysis, our response team updated the classification name of this new surge of threats to the proper malware families. People affected by these infection attempts early in the campaign would have seen blocks under machine learning names like Fuery, Fuerboos, Cloxer, or Azden. Later blocks show as the proper family names, Dofoil or Coinminer."

dofoil process 1
(Click to Enlarge)

Dofoil is one of the latest (of many) malware attacks that incorporate coin miners. The value of cryptocurrency has led many malware programmers to integrate mining software into their attacks. Microsoft says that exploit kits are delivering coin miners rather than ransomware. Dofoil started with a trojan that performs process hollowing on explorer.exe. Process hollowing is an attack that spawns a new instance of a legitimate process and replaces the legitimate code with malware. The hollowed explorer.exe process is able to run coin mining malware that hides as a legitimate Windows binary called wuauclt.exe.

Microsoft notes the command and control function of the malware uses the decentralized Namecoin network infrastructure. Microsoft wrote, "The hollowed explorer.exe process writes and runs another binary, D1C6.tmp.exe into the Temp folder. D1C6.tmp.exe then drops and executes a copy of itself named lyk.exe. Once running, lyk.exe connects to IP addresses that act as DNS proxy servers for the Namecoin network.
"It then attempts to connect to the C&C server vinik.bit inside the NameCoin infrastructure. The C&C server commands the malware to connect or disconnect to an IP address; download a file from a certain URL and execute or terminate the specific file; or sleep for a period of time."