Once that is complete it then creates a registry key or modifies an existing one to point to the newly created malware copy. To do this the hollowed explorer.exe process creates a copy of the original malware in the Roaming AppData folder and renames it to ditereah.exe. In order for a coinminer to be successful, it has to be persistent and avoid detection, the miner in this instance modifies the registry in an attempt to remain undetected. The initial samples analyzed mined Electroneum coins. This means that it can mine different cryptocurrencies. The miner itself is a customized miner which supports NiceHash.
#MASSIVE TORRENT PC WINDOWS#
With this variant, the now hollowed explorer.exe process then spins up a second malicious instance, which drops and runs a coin mining malware masquerading as a legitimate Windows binary, wuauclt.exe.
#MASSIVE TORRENT PC CODE#
This variant of Dofoil used a code injection technique called process hollowing which involves spawning a new instance of a legitimate process and then replacing the legitimate code with the malware in question. While Dofoil is traditionally considered a trojan what made this attack unique was that the trojan was coupled with a coin miner. While the response and effective handling of the outbreak is indeed impressive, it is in the researcher's analysis that matters get really interesting. Later blocks show as the proper family names, Dofoil or Coinminer.” People affected by these infection attempts early in the campaign would have seen blocks under machine learning names like Fuery, Fuerboos, Cloxer, or Azden. After analysis, our response team updated the classification name of this new surge of threats to the proper malware families. Within minutes, an anomaly detection alert notified us about a new potential outbreak.Ĥ. Within minutes, detonation-based models chimed in and added additional confirmation.ģ. Seconds later, our sample-based and detonation-based machine learning models also verified the malicious classification. “Within milliseconds, multiple metadata-based machine learning models in the cloud started blocking these threats at first sight.Ģ. Windows explained the system worked as follows:ġ. Such an AI-based pre-emptive protection provided against this attack is similar to how layered machine learning stopped an Emotet outbreak last month. In the report released on March 7 researchers at Microsoft explained that Windows Defender AV initially flagged the attack’s unusual persistence mechanism through behavior monitoring, a system that works in conjunction with machine learning to better detect and prevent malware outbreaks. On March 13, Microsoft released a follow-up report explaining that the attack was caused by backdoored Russian-based BitTorrent client named MediaGet. Russia made up the vast majority of detected instances with 73% followed by Turkey which accounted for 18% and Ukraine on 4%. The campaign targeted mainly Russian users but instances were detected in the Ukraine and Turkey.
The campaign attempted to infect over 400,000 users in a 12-hour window. On March 7, Microsoft released a report detailing that Windows Defender AV detected and thwarted a massive outbreak of the Dofoil, sometimes referred to as Smoke Loader, trojan.
0 kommentar(er)
