Posted on

Microsoft Blocked More Than 400,000 Malicious Cryptojacking Attempts In One Day

Microsoft’s Windows Defender Antivirus has blocked an attack of more than 400,000 attempts over a span of 12 hours for trojans to infect users with a cryptocurrency miner, according to a Microsoft blog post on March 7.

Windows Defender’s research showed that a little before noon (PST) on March 6, Windows Defender Antivirus began detecting these sophisticated trojans, which are new variants of an application called Dofoil (or Smoke Loader), attempting to inject cryptocurrency mining malwares through “advanced cross-process injection techniques, persistence mechanisms, and evasion methods.”

The majority, or 73 percent, of these instances came from Russia, with 18 percent from Turkey and 4 percent from Ukraine.

Even though Dofoil uses a code injection technique that runs crypto mining malware disguised as a legitimate Windows binary, Windows Defender Antivirus behavior monitoring flagged trojan injections as threats because the network traffic from this binary, wuauclt.exe, is suspicious as well as running from the wrong location.

Dofoil, which Microsoft describes as the “latest malware family to incorporate coin miners in attacks,” used the NiceHash crypto cloud mining marketplace that supports a variety of cryptocurrencies. Microsoft notes that the samples they inspected mined Electroneum coins.

Cryptojacking has become more prevalent recently, with more than 55 percent of businesses worldwide affected by crypto mining attacks as of January 2018.

In mid-February, a malicious crypto mining script was injected into software for helping blind and partially-sighted people go online, affecting more than 5000 websites, including those of the UK government. Earlier in February, a malware for mining Monero was discovered to have infiltrated around 7000 Android devices mainly in China and South Korea.

Posted on

Microsoft Thwarts Massive Electroneum Mining Malware Campaign

Microsoft’s Windows Defender reportedly managed to prevent a massive Electroneum (ETN) mining campaign from spreading, according to the IT giant. Per the company’s Windows Defender team, the campaign attempted to infect a whopping 400,000 computers during a 12-hour period.

The Redmond-based company revealed that the campaign tried to infect its victims with a variant of Dofoil – known as Smoke Leader -a trojan that downloads malware onto victims’ machines.

Microsoft’s post reads:

“Within the next 12 hours, more than 400,000 instances were recorded, 73% of which were in Russia. Turkey accounted for 18% and Ukraine 4% of the global encounters.”

The company claims it managed to immediately discover the attack thanks to its behavior-based, cloud-powered machine learning models. These, per Microsoft, almost immediately picked up the malware, classified it as a threat, and within minutes started blocking it.

The cryptocurrency miner the attack attempted to get on victim’s computers reportedly supports NiceHash, meaning it could mine different cryptocurrencies. In this case, the mining malware mined Electroneum.

How the Electroneum mining attack worked

Reports suggest the Dofoil variant attempted to inject malicious code into a legitimate OS process dubbed explorer.exe. One the malicious code was injected, the malware downloader would proceed to download the cryptocurrency miner, named “coinminer.”

Coinminer itself was masquerading as a Windows binary to avoid raising suspicions. Microsoft’s Windows Defender picked up on it because although it looked legitimate, it was running from the wrong disk location.

Moreover, the miner was generating suspicious traffic, as it was attempting to contact its command and control (C&C) server. The C&C server was located on the decentralized Namecoin network infrastructure, which is known for having other malware families stored in its .bit domains.

Windows 10, Windows 8.1, and Windows 7 users running Windows Defender are protected against these types of attacks, Microsoft’s post reads. As recently reported, a researcher found nearly 50,000 websites running cryptocurrency mining malware. Users who wish to protect against these will have to use specific software, or browsers like Opera and Brave.

This attack is presumably related to the ongoing cryptojacking trend has seen criminals normally attempt to mine Monero (XMR). The trend has made various high-profile victims, including Tesla, which saw its cloud get hacked and used to mine.

As previously covered by Ethereum World News, hackers are even stuffing Monero ransom notes inside distributed denial of service (DDoS) attacks to get their victims to pay them to stop.