Windows attack: Poisoned BitTorrent client set off huge Dofoil outbreak, says Microsoft

Attackers used a popular BitTorrent client to spread coin-mining malware to over 400,000 PCs in a matter of hours.
Written by Liam Tung, Contributing Writer

Video: Microsoft's reverse-engineering unveils secrets of FinFisher government spyware

The Dofoil outbreak that attempted to infect over 400,000 Windows PCs within hours last week was caused by attack on an update server that replaced a BitTorrent client called MediaGet with a near-identical but back-doored binary.

The 'MediaGet update poisoning', as Microsoft calls it, explains why the large-scale attempt to spread a cryptocurrency miner predominantly hit PCs in Russia, Turkey, and Ukraine.

Microsoft treats MediaGet as a potentially unwanted application, but in this case the Russian-developed BitTorrent client was a bridge to victims.

As Windows Defender researchers have highlighted, the Dofoil outbreak was a priority because it could have just as easily dropped ransomware using the attack vector.

Now read: How to build a successful career in cybersecurity (free PDF)

While file-sharing apps can be used to spread malware, Microsoft's researchers noticed this outbreak wasn't coming from torrent downloads and wasn't seen in other file-sharing apps. Instead, malware was coming from the process mediaget.exe.

A "carefully planned attack" was implemented in mid-February, about a fortnight before the malware was distributed, according to Microsoft.

"To set the stage for the outbreak, attackers performed an update poisoning campaign that installed a trojanized version of MediaGet on computers," the Windows Defender Research team wrote.

A signed mediaget.exe from MediaGet's update server downloads a program called update.exe which installs a new, unsigned mediate.exe that works like the original only it has a backdoor.

Microsoft believes the third-party company that signed update.exe is likely to be a victim. The attackers signed the poisoned update.exe with a different certificate to pass the validation required by the legitimate MediaGet.

The trojanized mediate.exe file is 98 percent like the legit MediaGet binary. To evade detection the trojan performs process-hollowing on the legitimate explorer.exe process and injects malware into it.

See also: IT leader's guide to cyberattack recovery

The incident was notable to Microsoft because of the effort that went into laying the groundwork for the attack and the advanced techniques it used to conceal and maintain infections.

Previous and related coverage

Windows 10 warning: Beware staff planting cryptominers on work systems, says Microsoft

Microsoft now sees over 600,000 PCs exposed to coin-mining malware each month.

Windows security: Microsoft fights massive cryptocoin miner malware outbreak

Microsoft has blocked a malware outbreak that could have earned big bucks for one criminal group.

Windows RDP flaw: 'Install Microsoft's patch, turn on your firewall'

Attackers can use a protocol bug in Windows RDP to steal session authentication and take over a network domain.

Windows 10: Microsoft lifts block on security updates after sorting out AV clash(TechRepublic)

The removal of the AV compatibility checks will mean that patches to mitigate the risk from Spectre and Meltdown attacks released since January will now be available to a wider range of PCs.

How to create and use app passwords for your Microsoft account (CNET)

Because not all Microsoft services support security codes for two-step verification.

Editorial standards