Windows Defender successfully halted a large malware campaign that tried to infect more than 400,000 users. The payload of the campaign was a cryptocurrency miner. The attempt took place on March 6, and it continued 12 hours, Microsoft recently revealed.
Details about the recently detected malware campaign
According to Microsoft, the targeted machines were initially infected with the Dofoil malware also known as Smoke Loader. As explained by the company, this family of Trojans can download and run other malware on infected hosts, and in this case the malware was a miner.
Apparently, this is what happened:
Just before noon on March 6 (PST), Windows Defender AV blocked more than 80,000 instances of several sophisticated trojans that exhibited advanced cross-process injection techniques, persistence mechanisms, and evasion methods. Behavior-based signals coupled with cloud-powered machine learning models uncovered this new wave of infection attempts.
The Trojans, which Microsoft found out to be new variants of Dofoil, were distributing a coin (cryptocurrency) miner payload. Within the next 12 hours, more than 400,000 instances were recorded, 73% of which were in Russia, the company said in a blog post. Turkey accounted for 18% and Ukraine 4% of the global encounters, the numbers revealed.
What halted the campaigns in such a timely manner is Microsoft’s behavior-based cloud-powered machine learning models which are present in Windows Defender. As claimed, these models detected the malware attempts within milliseconds, classified them within seconds, and blocked them within minutes.
People affected by these infection attempts early in the campaign would have seen blocks under machine learning names like Fuery, Fuerboos, Cloxer, or Azden. Later blocks show as the proper family names, Dofoil or Coinminer,” Microsoft stated.
How did the attack happen?
The latest Dofoil variant attempted to leverage a legitimate OS process – explorer.exe – to inject malicious code. Upon success, the malicious code would load a second explorer.exe process designed to download and run a cryptocurrency miner. The miner itself was concealed as a legitimate Windows binary known as wuauclt.exe.
Fortunately, Windows Defender quickly detected the whole chain of activities as malicious because the wuauclt.exe binary was running from the wrong disk location.
In addition to this, the binary spawned malicious traffic because the miner was trying to connect to its command and control server. The server was located on the decentralized Namecoin network.
The miner was trying to miner the Electroneum cryptocurrency, Microsoft said. Fortunately, Windows 10, Windows 8.1, and Windows 7 systems running Windows Defender or Microsoft Security Essentials were automatically protected.