Microsoft just pulled off a Superman. The Windows Defender at the company stopped a large scale malware distribution campaign that tried to infect almost 500,000 Windows PCs with a cryptocurrency miner.
Microsoft reveals in its blog that the Windows Defender antivirus software detected over 80,000 instances of Trojans with the payload known as Dofoil or Smoke loader. For over the period of next 12 hours, Defender picked up over 400,000 more encounters with the Trojan, which were mainly centred in Russia, however, some instances were also picked in Turkey and Ukraine. Dofoil uses a technique known as ‘process hollowing’ on the legitimate explorer.exe binary. The technique creates a new instance of the legitimate program but swaps out its code with malware.
“To stay hidden, Dofoil modifies the registry,” says the company in the blog. “The hollowed explorer.exe process creates a copy of the original malware in the Roaming AppData folder and renames it to ditereah.exe. It then creates a registry key or modifies an existing one to point to the newly created malware copy. In the sample we analyzed, the malware modified the OneDrive Run key.”
Beta News quotes other security researchers saying, “Having an AV tool that removes the malicious code, or reimaging an infected system would appear to be the correct course of action to remediate this threat, but Smoke loader is very much more than a simple downloader, it has many data theft functions that target credentials. If just 10 percent of those 400,000 devices (located mainly in Russia) got infected, we now have 4,000 devices that are now vulnerable to a much greater threat than just coin mining.”