Microsoft’s Windows Defender Antivirus has blocked an attack of more than 400,000 attempts over a span of 12 hours for trojans to infect users with a cryptocurrency miner, according to a Microsoft blog post on March 7.
Windows Defender’s research showed that a little before noon (PST) on March 6, Windows Defender Antivirus began detecting these sophisticated trojans, which are new variants of an application called Dofoil (or Smoke Loader), attempting to inject cryptocurrency mining malwares through “advanced cross-process injection techniques, persistence mechanisms, and evasion methods.”
The majority, or 73 percent, of these instances came from Russia, with 18 percent from Turkey and 4 percent from Ukraine.
Even though Dofoil uses a code injection technique that runs crypto mining malware disguised as a legitimate Windows binary, Windows Defender Antivirus behavior monitoring flagged trojan injections as threats because the network traffic from this binary, wuauclt.exe, is suspicious as well as running from the wrong location.
Dofoil, which Microsoft describes as the “latest malware family to incorporate coin miners in attacks,” used the NiceHash crypto cloud mining marketplace that supports a variety of cryptocurrencies. Microsoft notes that the samples they inspected mined Electroneum coins.
Cryptojacking has become more prevalent recently, with more than 55 percent of businesses worldwide affected by crypto mining attacks as of January 2018.
In mid-February, a malicious crypto mining script was injected into software for helping blind and partially-sighted people go online, affecting more than 5000 websites, including those of the UK government. Earlier in February, a malware for mining Monero was discovered to have infiltrated around 7000 Android devices mainly in China and South Korea.