Disruption of a large-scale hacker attack on Windows users in Russia

Original author: Windows Defender Research
  • Transfer
On March 6, Windows Defender blocked more than 80,000 instances of several complex trojans that used sophisticated techniques for injecting malicious code into the address space of processes and no less sophisticated mechanisms to ensure stability and avoid detection. It was possible to identify a new wave of infection attempts thanks to signals from behavioral analysis systems in combination with cloudy machine learning models.

The second part with a detailed description of the attack and infection paths.

The Trojans used in the attack were new varieties of Dofoil (also known as Smoke Loader). They tried to infect devices with cryptocurrency mining malware. In the next 12 hours, more than 400,000 attacks were recorded, of which 73% were in Russia, 18% in Turkey and 4% in Ukraine.

The geographical distribution of the components of the Dofoil attack.

At the very beginning of the attack, with the help of behavioral monitoring, Windows Defender antivirus detected an unusual mechanism of attack persistence and stability. Antivirus immediately sent the appropriate signal to our cloud protection service.

  1. After a few milliseconds, numerous cloud-based machine learning models based on metadata already blocked the detected threat when it appeared.
  2. After a couple of seconds, our machine learning models based on sample analysis and detonation confirmed that the program was reasonably classified as malicious. A few minutes later, detonation-based models were connected and additionally confirmed the findings of previous mechanisms.
  3. A few minutes after the start of the attack, the anomaly detection service notified our specialists about a new potential outbreak.
  4. After conducting the analysis, the Microsoft incident response team named the threats of this new wave a name corresponding to the classification of malware families. Thus, at the very beginning of the company, users received a warning about blocking this threat, in which it appeared under the names assigned by machine learning systems (for example, Fuery, Fuerboos, Cloxer or Azden). Those whose threat was blocked later saw it under the name of the malware family to which it belongs, i.e. Dofoil or Coinminer.

Users of Windows 10, Windows 8.1 and Windows 7 with Windows Defender or Microsoft Security Essentials antivirus software are fully protected from this malware outbreak.

A multi-level system of protection based on machine learning in the Windows Defender antivirus program

Artificial intelligence and threat detection based on the analysis of behavior in Windows Defender are the basis of our protection system. Against this attack, a proactive defense mechanism based on artificial intelligence was applied. This approach is similar to multilevel machine-based protection, which stopped the outbreak of Emotet infection last month.

Code injection and cryptocurrency mining

Dofoil is the latest malware family to use crypto mining programs in its attacks. The cost of bitcoin and other cryptocurrencies remains attractive, and attackers take advantage of the emerging opportunities and embed mining components in attacks. For example, modern exploit kits do not contain ransomware, but cryptocurrency mining tools. Mining scripts are injected into fraudulent technical support sites, and even mining functions are added to some banking Trojans.

The starting point of the Dofoil campaign that we discovered on March 6 was the Trojan replacing the explorer.exe process. Replacing a process is a code injection method in which a new instance of a genuine process is created (in this case c: \ windows \ syswow64 \ explorer.exe) and its code is replaced by a malicious one.

Detecting a process replacement by the Windows Defender ATP service (SHA-256: d191ee5b20ec95fe65d6708cbb01a6ce72374b309c9bfb7462206a0c7e039f4d detected by Windows Defender antivirus under the name TrojanDownloader: Win32 / Dofoil.AB),

a second process is being launched that runs a malicious program, which maliciously explores, it’s trying to run malware. Windows wuauclt.exe.

Cryptocurrency mining malware detection by the Widows Defender ATP service (SHA-256: 2b83c69cf32c5f8f43ec2895ec9ac730bf73e1b2f37e44a3cf8ce814fb51f120 detected by the Windows Defender antivirus under the name Trojan: Win32.D CoinM)

Although the malware uses the name of a trusted Windows binary, it launches from a different location. The command line does not look the same as for the source binary. In addition, network traffic from this binary file is suspicious.

Windows Defender ATP notification process tree: IP protocol abnormal

Suspicious network activity displayed in Windows Defender ATP service

Windows Defender ATP notification process tree: fictitious process explorer.exe that creates suspicious connections

Dofoil uses a specialized mining application. Judging by the code, this application supports NiceHash, that is, it can mine various cryptocurrencies. The samples we analyzed were used to mine the Electroneum cryptocurrency.


Resilience is an important feature of malware mining software. Such programs use a variety of tricks to go unnoticed for a long time and mine cryptocurrencies using stolen computing resources.

To avoid detection, Dofoil modifies the registry. The fictitious process explorer.exe creates a copy of the original malware in the Roaming AppData folder and renames it into the ditereah.exe file. He then creates a registry key or modifies an existing one to point to a recently created copy of the malware. In the sample we analyzed, the OneDrive Run section was changed.

Windows Defender ATP notification process tree: creating a new malicious process (SHA-256: d191ee5b20ec95fe65d6708cbb01a6ce72374b309c9bfb7462206a0c7e039f4d) and changing the registry

Information exchange with management and control servers

Dofoil is a robust family of Trojan downloaders. They connect to the management and control (C&C) servers from which they receive commands for downloading and installing malware. In the March 6th campaign, Dofoil Trojans used the Namecoin decentralized network infrastructure to exchange information with the management and control servers .

The fictitious process explorer.exe writes and runs another binary file, D1C6.tmp.exe (SHA256: 5f3efdc65551edb0122ab2c40738c48b677b1058f7dfcdb86b05af42a2d8299c), in the Temp folder. This file then creates and runs its copy under the name lyk.exe. The launched lyk.exe file connects to IP addresses that act as DNS proxies for the Namecoin network. Then the file tries to contact the vinik.bit management and control server in the NameCoin infrastructure. The management and control server instructs the malware to connect to or disconnect from the IP address, download the file using a specific link, launch a specific file, or interrupt its execution or go into sleep mode for a while.

Windows Defender ATP notification process tree: creating a temporary D1C6.tmp.exe file (SHA256: 5f3efdc65551edb0122ab2c40738c48b677b1058f7dfcdb86b05af42a2d8299c)

Windows Defender ATP notification process tree: connecting the lyk.exe file to IP addresses

Real-time protection in Windows 10

As the value of cryptocurrencies grows, cybercriminal groups make more attacks with the aim of penetrating the network and stealth mining.

Windows Defender antivirus program uses a multi-level approach to security. The use of threat detection algorithms based on behavior analysis, universal patterns and heuristic analysis, as well as machine learning models on client devices and in the cloud provides real-time protection against new threats and epidemics.

As you can see from this example, the Windows Defender Advanced Threat Protection ( WDATP) service) signals about malicious behavior associated with installing software, implementing code, stability mechanisms and operations for cryptocurrency mining. Security services can use the extensive WDATP libraries to detect abnormal network activity and take the necessary action. WDATP also includes security features from the Windows Defender Antivirus, Windows Defender Exploit Guard, and Windows Defender Application Guard antivirus programs, simplifying security management.

Also popular now: