Video: Microsoft's reverse-engineering unveils secrets of FinFisher government spyware
The Dofoil outbreak that attempted to infect over 400,000 Windows PCs within hours last week was caused by attack on an update server that replaced a BitTorrent client called MediaGet with a near-identical but back-doored binary.
The 'MediaGet update poisoning', as Microsoft calls it, explains why the large-scale attempt to spread a cryptocurrency miner predominantly hit PCs in Russia, Turkey, and Ukraine.
Microsoft treats MediaGet as a potentially unwanted application, but in this case the Russian-developed BitTorrent client was a bridge to victims.
Now read: How to build a successful career in cybersecurity (free PDF)
While file-sharing apps can be used to spread malware, Microsoft's researchers noticed this outbreak wasn't coming from torrent downloads and wasn't seen in other file-sharing apps. Instead, malware was coming from the process mediaget.exe.
A "carefully planned attack" was implemented in mid-February, about a fortnight before the malware was distributed, according to Microsoft.
"To set the stage for the outbreak, attackers performed an update poisoning campaign that installed a trojanized version of MediaGet on computers," the Windows Defender Research team wrote.
A signed mediaget.exe from MediaGet's update server downloads a program called update.exe which installs a new, unsigned mediate.exe that works like the original only it has a backdoor.
Microsoft believes the third-party company that signed update.exe is likely to be a victim. The attackers signed the poisoned update.exe with a different certificate to pass the validation required by the legitimate MediaGet.
The trojanized mediate.exe file is 98 percent like the legit MediaGet binary. To evade detection the trojan performs process-hollowing on the legitimate explorer.exe process and injects malware into it.
The incident was notable to Microsoft because of the effort that went into laying the groundwork for the attack and the advanced techniques it used to conceal and maintain infections.
Previous and related coverage
Microsoft now sees over 600,000 PCs exposed to coin-mining malware each month.
Microsoft has blocked a malware outbreak that could have earned big bucks for one criminal group.
Attackers can use a protocol bug in Windows RDP to steal session authentication and take over a network domain.
The removal of the AV compatibility checks will mean that patches to mitigate the risk from Spectre and Meltdown attacks released since January will now be available to a wider range of PCs.
Because not all Microsoft services support security codes for two-step verification.