Disruption of a large-scale hacker attack on Windows users in Russia: part 2

Original author: Windows Defender Research
  • Transfer
More recently, we prevented a massive attack using the Dofoil Trojan , the purpose of which was to install malware for cryptocurrency mining on hundreds of thousands of computers. Using behavioral monitoring, machine learning models, and a multi-level protection system, Windows Defender antivirus software was able to effectively detect and block an attack for several milliseconds.

Today we will tell you more about the attack itself, the infection paths and share the timeline. Look under the cat!

Immediately after detecting the attack, we were able to determine where exactly a huge number of attempts to install malware were made. Typically, the Dofoil Trojan(also known as Smoke Loader) is distributed in a variety of ways, including spam messages and exploit kits. Another scheme was used for the attack that began on March 6: most of the malicious files were created by the mediaget.exe process.

This process refers to MediaGet, a BitTorrent client that matches the classification of families of potentially unwanted applications . Users often use the MediaGet application to search and download programs and multimedia files from sites of dubious reputation. Using such file sharing applications increases the risk of downloading malware.

However, having studied the attack, we came to the conclusion that the infection with the Dofoil crypto miner is not related to the downloading of torrent files. Earlier, we did not observe such a scheme in other file-sharing applications. The mediaget.exe process always wrote Dofoil samples to the% TEMP% folder named my.dat. The most common source of infection was the% LOCALAPPDATA% \ MediaGet2 \ mediaget.exe file (SHA-1: 3e0ccd9fa0a5c40c2abb40ed6730556e3d36af3c).

Recommended materials : statistics on the attack, useful information and response data about Windows Defender, see the article Disrupting a large-scale hacker attack on Windows users in Russia .

Timeline of an attack

A comprehensive study of the Dofoil attack, launched on March 6, revealed that it was a carefully planned campaign that has been prepared by attackers since mid-February. To implement the plan, the attackers first spread the virus through an update to the MediaGet program, which users installed on their computers. The timeline below displays the main events of the Dofoil attack.

Fig. 1. Timeline attack via MediaGet

MediaGet software update infection

The process of infecting an update for MediaGet, which eventually led to a mass attack, is described in the following diagram. The trusted mediaget.exe application downloads the update.exe executable file and runs it on the computer to install a new mediaget.exe instance. A new instance of the mediaget.exe application has all the same functions as the genuine one, but there is a loophole in it.

Fig. 2. Procedure for updating the update file

The entire installation procedure for the infected update file is monitored by the Windows Defender ATP service. The following process tree shows how the mediaget.exe process injects the infected signed update.exe file.

Fig. 3. Detection of malicious update process in Windows Defender ATP

Infected update.exe file

Downloaded update.exe is an InnoSetup SFX batch file into which the mediaget.exe infected Trojan file is embedded. When launched, this executable file injects the unsigned version of the mediaget.exe application infected with the trojan .

Fig. 4. Certificate data of the infected update.exe file

Update.exe is signed by a third-party software developer not affiliated with MediaGet (it is likely that this company is a victim of intruders). The executable file contains code signed by another certificate, the task of which is simply to transfer the same signature confirmation requirement as in the original mediaget.exe file. The update code verifies the certificate data, confirming that it is valid and properly signed. If the certificate is signed, it checks if the hash value matches the value received from the hash server in the mediaget.com infrastructure. The following illustration shows a code snippet that validates valid signatures for the update.exe file.

Fig. 5. Update code mediaget.exe

Trojan infected file mediaget.exe

The mediaget.exe file infected by the Trojan, recognized by Windows Defender AV as Trojan: Win32 / Modimer.A, performs the same functions as the original file, but it is not signed and has a loophole. This malicious binary is 98% the same as the MediaGet source binary. According to the following PE data, other PDB data and a different file path are indicated in the executable file.

Fig. 6. Comparison of the PDB paths of a signed and Trojan-infected executable file

When a malicious program is launched, a list of management and control (C&C) servers is created.

Fig. 7. List of C&C servers

Regarding the built-in C&C list, it is important to note that the top-level domain .bit is not a domain approved by ICANN and is supported by the NameCoin infrastructure. NameCoin is a distributed system of alternative root DNS servers that implements the principle of blockchain models. This system provides anonymous domains. Since .bit domain names are not resolved by standard DNS servers, the malware embeds a list of 71 IPv4 addresses that are used as NameCoin DNS servers.

The malware then uses NameCoin servers for DNS lookups of .bit domains. From that moment, these names are placed in the DNS cache of the computer and all future searches are resolved without specifying NameCoin DNS servers.

The first call to the C&C server occurs one hour after the program starts.

Fig. 8. The timer for starting the connection to the C&C server. The

malware selects one of the four C&C servers. The program uses the HTTP protocol for the exchange of management and control data.

Fig. 9. Connection to the C&C server.

The loophole code collects information about the system and sends it to the C&C server through a POST request.

Fig. 10. System Information

The C&C server returns various commands to the client. The following answer contains the HASH, IDLE, and OK commands. The IDLE command sets the process to wait for a certain period (in seconds, for example, 7200 seconds = 2 hours) before accessing the C&C server again.

Fig. 11. Management and control teams

One of the loophole commands is RUN, which receives the URL from the command line of the C&C server. The malware then downloads the file from the URL, saves it to the% TEMP% \ my.dat folder and launches it.

Fig. 12. RUN command processing code

This RUN command has been used to distribute the Dofoil Trojan since March 1, and as part of the March 6 attack. The Windows Defender ATP notification process tree shows the data exchange between the malicious process mediaget.exe and goshan.online, one of the confirmed C&C servers. After that, the program injects and runs the my.dat (Dofoil) file, which ultimately leads to the CoinMiner component.

Fig. 13. Dofoil, CoinMiner loading and executing process

. 14. Windows Defender ATP Alert Process Tree

As part of the attack, the Dofoil Trojan was used to deliver CoinMiner malware, the task of which is to use the resources of user computers to mine cryptocurrencies in favor of attackers. During the attack, the Dofoil Trojan used sophisticated techniques for introducing malicious code into the address space of processes, mechanisms for ensuring stability, and methods of evading detection. Windows Defender ATP successfully detects this behavior at all stages of infection.

Fig. 15. Detecting the implementation of the Dofoil process in Windows Defender ATP

We reported the results of our research to the MediaGet developers to help them correctly analyze the incident.

We also told the certificate holders how their code signing certificate was used by attackers in the update.exe file (fingerprint: 5022EFCA9E0A9022AB0CA6031A78F66528848568).

Real-time virus protection

The carefully planned and pre-prepared Dofoil campaign, discovered on March 6, is a prime example of the multilevel viral cyberattack that is happening more and more today. When committing typical cybercrimes, more and more sophisticated techniques are now used that were previously associated with more sophisticated cyber attacks. Windows Defender Advanced Threat Protection (Windows Defender ATP) provides an advanced set of next-generation security tools that protect clients in real time from a wide variety of attacks.

Enterprise clients using Windows Defender AV antivirus that have activated the function of protection against potentially untrustworthy applicationswere protected from MediaGet software infected with a trojan, which turned out to be the source of the March 6th virus attack.

Windows Defender AV provides reliable protection for clients against attacks using Dofoil. Behavioral monitoring and analysis technologies revealed the unusual Dofoil resilience mechanism and immediately sent the appropriate signal to the cloud protection service , where numerous machine learning models instantly blocked most of the detected threats when they appeared.

A comprehensive analysis of the attack also showed that the advanced detection libraries in Windows Defender ATPflagged malicious Dofoil behavior at all stages of infection. The malicious behavior includes code injection, methods of protection against detection, and the introduction of components for cryptocurrency mining. Security professionals can use the Windows Defender ATP platform to detect attacks and respond effectively to them. Windows Defender ATP also provides built-in protection tools for Windows Defender AV, Windows Defender Exploit Guard and Windows Defender Application Guard, providing flawless security management at all levels.

Compromise Indicators (IOCs)

File nameSHA-1DescriptionSignatorydate of signingName of detected malware
mediaget.exe1038d32974969a1cc7a79c3fc7b7a5ab8d14fd3eThe official executable file mediaget.exeGLOBAL MICROTRADING PTE. LTD.2:04 PM 10/27/2017PUA: Win32 / MediaGet
mediaget.exe4f31a397a0f2d8ba25fdfd76e0dfc6a0b30dabd5The official executable file mediaget.exeGLOBAL MICROTRADING PTE. LTD.4:24 PM 10/18/2017PUA: Win32 / MediaGet
update.exe513a1624b47a4bca15f2f32457153482bedda640Trojan-infected update executableDEVELTEC SERVICES SA DE CV-Trojan: Win32 / Modimer.A
Trojan infected executable file mediaget.exeNot signed-Trojan: Win32 / Modimer.A
my.datd84d6ec10694f76c56f6b7367ab56ea1f743d284Embedded Malicious Executable--TrojanDownloader: Win32 / Dofoil.AB
wuauclt.exe88eba5d205d85c39ced484a3aa7241302fd815e3CoinMiner Embedded Program--Trojan: Win32 / CoinMiner.D

Also popular now: