Microsoft has announced that it has successfully defended a massive attempt to deploy a sophisticated trojan program aimed at mining Electroneum (ETN) without the known of user. Until now, most of the trojans were used to mine Monero (XMR).
Microsoft stated that Windows 10, Windows 8.1, and Windows 7 users running Windows Defender AV or Microsoft Security Essentials are all protected from this latest outbreak.
How does the trojan work?
The trojan uses advanced cross-process injection techniques, persistence mechanisms, and evasion methods to install itself on the victim’s computer. These trojans are new variants of Dofoil (also known as Smoke Loader) and carry a Electroneum coin miner program. Dofoil is the latest malware family to incorporate coin miners in attacks. Scammers are adding coin mining scripts in tech support scam websites.
The torjan performs process hollowing on explorer.exe. Process hollowing is a code injection technique that involves spawning a new instance of legitimate process (in this case c:\windows\syswow64\explorer.exe) and then replacing the legitimate code with malware. The hollowed explorer.exe process then spins up a second malicious instance, which drops and runs a coin mining malware masquerading as a legitimate Windows binary, wuauclt.exe. Even though it uses the name of a legitimate Windows binary, it runs from the wrong location. The command line is anomalous compared to the legitimate binary. Additionally, the network traffic from this binary will be suspicious. Dofoil uses a customized mining application. Based on its code, the coin miner supports NiceHash, which means it can mine different cryptocurrencies. The samples analyzed by Microsoft indicated that the program mined Electroneum coins.
To stay hidden, Dofoil modifies the registry. The hollowed explorer.exe process creates a copy of the original malware in the Roaming AppData folder and renames it to ditereah.exe. It then creates a registry key or modifies an existing one to point to the newly created malware copy. In the sample Microsoft analyzed, the malware modified the OneDrive Run key.
How Microsoft crushed the attack?
Just before noon on March 6 (PST), Windows Defender Antivirus blocked more than 80,000 instances of several sophisticated trojans that exhibited advanced cross-process injection techniques, persistence mechanisms, and evasion methods. Behavior-based signals coupled with cloud-powered machine learning models uncovered this new wave of infection attempts. Within the next 12 hours, more than 400,000 instances were recorded, 73% of which were in Russia. Turkey accounted for 18% and Ukraine 4% of the global encounters.
Windows Defender AV initially flagged the attack’s unusual persistence mechanism through behavior monitoring, which immediately sent this behavior-based signal to Microsoft’s cloud protection service.
1. Within milliseconds, multiple metadata-based machine learning models in the cloud started blocking these threats at first sight.
2. Seconds later, Microsoft’s sample-based and detonation-based machine learning models also verified the malicious classification. Within minutes, detonation-based models chimed in and added additional confirmation.
3. Within minutes, an anomaly detection alert notified us about a new potential outbreak.
Identifying computer affected by Trojan mining Electroneum
After analysis, Microsoft’s response team updated the classification name of this new surge of threats to the proper malware families. People affected by these infection attempts early in the campaign would have blocks under machine learning names like Fuery, Fuerboos, Cloxer, or Azden. Later blocks show as the proper family names, Dofoil or Coinminer.
With the rise in valuation of cryptocurrencies, cybercriminal groups are launching more and more attacks to infiltrate networks and quietly mine for coins. Malware operators see the opportunity to include coin mining components in their attacks. Therefore, exploit kits are now delivering coin miners instead of ransomware.
Windows Defender Advanced Threat Protection (Windows Defender ATP) flags malicious behaviors related to installation, code injection, persistence mechanisms, and coin mining activities.
Windows 10 S, a special configuration of Windows 10, helps protect against coin miners and other threats. Windows 10 S works exclusively with apps from the Microsoft Store and uses Microsoft Edge as the default browser, providing Microsoft verified security.