Microsoft has blocked a rapidly spreading malware outbreak that could have infected nearly 500,000 Windows PCs within hours on March 6.
The trojan, known as Dofoil or Smoke Loader, was designed to deliver a range of payload. However, in this case, it dropped a cryptocurrency miner on infected PCs, in order to earn those behind the trojan Electroneum coins from victims' CPUs.
Microsoft's Windows Defender antivirus initially detected 80,000 instances of several trojans with this payload at noon PST on March 6. Over the next 12 hours, Windows Defender detected over 400,000 encounters with the trojan, predominantly in Russia, but also in Turkey and Ukraine.
Microsoft said that the Dofoil trojan performs a fancy trick called 'process hollowing' on the legitimate explorer.exe binary. The technique creates a new instance of the legitimate binary but swaps out its code with malware.
"The hollowed explorer.exe process then spins up a second malicious instance, which drops and runs a coin-mining malware masquerading as a legitimate Windows binary, wuauclt.exe," said Mark Simos, a cybersecurity architect at Microsoft.
Kaspersky researchers observed sophisticated attackers using the process-hollowing technique to deliver miners that earned them millions of dollars in the second half of 2017.
Process hollowing is useful because antivirus often mistakes it for harmless software. Kaspersky said victims are typically infected after downloading legit-looking software.
To maintain a position on an infected PC, Dofoil tweaks the Windows registry after process-hollowing explorer.exe.
Free download: Auditing and logging policy
"The hollowed explorer.exe process creates a copy of the original malware in the Roaming AppData folder and renames it to ditereah.exe. It then creates a registry key or modifies an existing one to point to the newly created malware copy. In the sample we analyzed, the malware modified the OneDrive Run key," wrote Simos.
Cryptocurrency mining may be even more lucrative to attackers than 2017's main menace, file-encrypting ransomware. A key advantage of coin miners is that there's less risk of the attacker's infection failing to pay off, according to Renato Marinho, chief research officer at Morphus Labs.
Marinho in January discovered attackers exploiting vulnerable Oracle WebLogic servers and, while they could have installed ransomware or a data stealer, they opted to exclusively use the compromised servers to mine Monero, earning them over $200,000 in a matter of months.
"In my opinion, they are probably shifting from ransomware to mining as, with ransomware, they do not have guarantees that they will receive the ransom, while miners do not call much attention," Marinho told ZDNet.
The WebLogic attack was relatively small scale compared with another campaign Marinho discovered in January, which had used a network of compromised machines to generate 4,273 Monero, at the time worth around $1.7m and today worth $1.3m.
Despite Dofoil using legitimate Windows binaries, Microsoft's Simos said its cloud machine-learning models for metadata analysis detected the first infections "within milliseconds".
"Even though it uses the name of a legitimate Windows binary, it's running from the wrong location. The command line is anomalous compared to the legitimate binary. Additionally, the network traffic from this binary is suspicious," he said.
Previous and related coverage
Microsoft is protecting Windows users from a Flash Player flaw exploited by suspected North Korean hackers.
Microsoft removes Equation Editor from Word after finding more attacks on Office users.
Microsoft has addressed a USB and onboard device bug it introduced in its February security update.
The Windows 10 interface that allows apps to connect to antivirus software is truncating files, causing compromised code to come back clean.
It's an oldie but a goodie: Creating a system image of your Windows 10 PC in case your hard drive goes belly up and you need to recover your files, settings and apps.