Numerous variants of the trojan Dofoil repeatedly attempted to infect Microsoft Windows systems on Tuesday, trying to install a cryptocurrency miner.
On Wednesday, the company reported a defensive victory over the fast-moving campaign. Across a single morning, its Windows Defender Antivirus blocked over 80,000 instances of various sophisticated Trojans “that exhibited advanced cross-process injection techniques, persistence mechanisms, and evasion methods”. The infection attempts were uncovered within milliseconds, according to Microsoft, through a combination of cloud-powered machine learning models and in-house behaviour monitoring. Over the next 12 hours, over 400,000 further instances were recorded, 73% of which occurred in Russia, 18% in Turkey and 4% in Ukraine.
The malware known as Dofoil, which also goes by the name “Smoke Loader” in some cybersecurity circles, was carrying a coin miner payload. If it successfully infects a computer’s operating system, it can then use the computer’s CPU power to mine for digital cash. The coin it creates is known as Electroneum. Once installed onto a system, Dofoil and its variants can connect to a hacker’s command-and-control (C&C) server and listen for fresh commands, including the installation of more malware.
Criminals are increasingly turning to coin miners over ransomware as they are an easier method of attack, which if successful, can go undetected by the computer’s user for a long time.
In its blog post, Microsoft said, “Exploit kits are now delivering coin miners instead of ransomware. Scammers are adding coin mining scripts in tech support scam websites. And certain banking trojan families added coin mining behavior.”
Security experts say that this strain has been in existence since 2011 when an early version was first discovered online for sale on an underground marketplace. However, Dofoil recently made headlines when Malwarebytes discovered it was disguising itself as a patch for Spectre and Meltdown, the major flaws that exist in almost every computer processor in use.
“Online criminals are notorious for taking advantage of publicized events and rapidly exploiting them, typically via phishing campaigns,” Malwarebytes wrote in its advisory. “This particular one is interesting because people were told to apply a patch, which is exactly what the crooks are offering under disguise.”
The culprits behind the latest hacking scheme involving Dufoil are unknown. Microsoft has not responded to requests for comment.