Microsoft said it discovered and stopped a large attack that attempted to use variants of the Dofoil, or Smoke Loader, trojan to spread a cryptocurrency miner.
The campaign was first seen on March 6 Microsoft said when its Windows Defender Antivirus blocked 80,000 attacks which it described as exhibiting advanced cross-process injection techniques, persistence mechanisms, and evasion methods. In total more than 400,000 instances were recorded with that vast majority, 73 percent, hitting Russians with Turkey,18 percent, and the Ukraine 4 percent being the other main targets.
What initially gave away the attacks was its unusual persistence mechanism that was tracked though Defenders behavior monitoring, Microsoft wrote.
The initial attack started with the Trojan performing a process hollowing on explorer.exe. Process hollowing is a code injection technique that involves spawning a new instance of legitimate process and then replacing the legitimate code with malware. When this is completed a second process comes online that drops the miner, which as part of its camouflage appears like the legitimate Windows binary wuauclt.exe.
The miner is multifaceted capable of generating a variety of cryptocurrencies, but in this case it was creating Electroneum, Microsoft said.
To maintain its persistence researchers saw that Dofoil modifies the registry and uses the hollowed explorer.exe process to create a copy of the malware in the Roaming AppData folder and renames it to ditereah.exe. It then creates a new, or modifies a current, registry key to point to the newly created copy of the malware.
Instructions are received through command and control servers, which Microsoft said used the Namecoin network infrastructure. Namecoin.org states that Namecoin is an experimental open-source technology which improves decentralization, security, censorship resistance, privacy, and speed of certain components of the Internet infrastructure such as DNS and identities. The creator lists several other uses for Namecoin.