Windows 10 warning: Beware staff planting cryptominers on work systems, says Microsoft

Microsoft now sees over 600,000 PCs exposed to coin-mining malware each month.
Written by Liam Tung, Contributing Writer

Video: Microsoft's reverse-engineering unveils secrets of FinFisher government spyware.

Microsoft says it's seen a huge surge in coin-mining trojans hitting Windows PCs across the world in the past six months and is cautioning businesses not to treat them as a nuisance but as a serious threat.

Between September 2017 and January 2018 on average 644,000 computers become potentially infected with coin-mining malware, according to Microsoft's Windows Defender researchers Alden Pornasdoro, Michael Johnson, and Eric Avena.

The rise of trojan cryptocurrency miners and browser-based cryptojacking has coincided with a drop in ransomware infections.

But while there's a consensus that ransomware is a menace, coin-mining malware that drains energy and processing capacity is often just viewed as an irritant.

Microsoft even had to defend last week's action against the massive Dofoil outbreak, which attempted to infect over 400,000 PCs with a coin-miner.

Windows Defender researcher Jessica Payne said the team treated the Dofoil outbreak as a priority because it could have also been used to deliver ransomware.

Special report: Cybersecurity in an IoT and mobile world (free PDF)

"What we did wasn't just to disrupt a 'relatively harmless' mining campaign, but to detect and interrupt a distribution vector that could just as easily have delivered ransomware to those targets," Payne wrote on Twitter.

A Microsoft spokesperson told ZDNet it soon plans to reveal exactly how Dofoil was spread, but noted there was a "correlation with certain file-sharing and internet download programs".

Microsoft malware researchers also believe that employees putting unauthorized miners on powerful company systems is another threat.

It classifies these instances as potentially unwanted applications (PUAs), which it notes might be harder to detect than their trojan counterparts if they're configured to work below a certain threshold.

In January, Microsoft saw a "huge jump" to 1,800 coin-miners detected in enterprise environments. PUA coin-miners represented about six percent of all PUAs blocked by Windows Defender in January 2018, up from two percent in September 2017.

Download now: IT leader's guide to cyberattack recovery

While coin-mining botnets like Smominru and Wannamine use the NSA's leaked EternalBlue exploit to spread inside networks, Microsoft's researchers have observed a range of other exploit tactics, such as coin-miners that are delivered through so-called DDE or Dynamic Data Exchange Office exploits.

For example, a miner Microsoft detects as Trojan:Win32/CoinMiner is installed via malicious Office documents containing this DDE exploit, which delivers a PowerShell downloader.

"The exploit launches a cmdlet that executes a malicious PowerShell script, Trojan:PowerShell/Maponeir.A, which then downloads the trojanized miner: a modified version of the miner XMRig, which mines Monero cryptocurrency," the Windows Defender researchers said.

Previous and related coverage

Windows security: Microsoft fights massive cryptocoin miner malware outbreak

Microsoft has blocked a malware outbreak that could have earned big bucks for one criminal group.

Windows 10 security: Google exposes how malicious sites can exploit Microsoft Edge

Microsoft misses Google's 90-day deadline, so Google has published details of an exploit mitigation bypass.

Cyber attackers are cashing in on cryptocurrency mining - but here's why they're avoiding bitcoin

Cryptocurrency mining malware has emerged as a key method of criminal hackers making money - so why aren't they targeting the most valuable blockchain-based currency of them all?

Nearly 50,000 websites infected with cryptocurrency mining malware, research finds (TechRepublic)

Criminals have been injecting websites with scripts to mine the Monero cryptocurrency.

Editorial standards