Last year, the world of cybersecurity was shaken by the Petya and WannaCry ransomware attacks. Microsoft detailed how upgrading to the latest versions of Windows protected users against the exploits and helped in mitigating its spread.
Now, Microsoft has published a blog post detailing how its Windows Defender - available in Windows 7, 8.1, and 10 - prevented a "massive" Dofoil coin mining campaign a couple of days ago.
According to the report, Windows Defender utilized behavior-based signals and machine learning models to detect and block nearly 80,000 instances of many advanced trojans. The company states that the trojans were a variant of Dofoil, and were accompanied by a coin miner payload. After the first detection, 400,000 more instances of the attack popped up over the next 12 hours, with 73% of them being located in Russia, 18% in Turkey, and 4% in Ukraine.
The Dofoil malware family is considered particularly dangerous because of the current demand for cryptocurrencies, due to which attackers see the opportunity to include coin mining components in their code. The coin mining campaign that Windows Defender detected used a code injection technique on explorer.exe, by forking a new instance of the legitimate process and replacing its code with malware.
This infected process then spawns another instance, which executes the coin mining payload. Under usual circumstances, this would have been very difficult for a user to detect, because the malicious process acts as a legitimate Windows binary, but runs from an incorrect location.
Microsoft further explains that:
To stay hidden, Dofoil modifies the registry. The hollowed explorer.exe process creates a copy of the original malware in the Roaming AppData folder and renames it to ditereah.exe. It then creates a registry key or modifies an existing one to point to the newly created malware copy. In the sample we analyzed, the malware modified the OneDrive Run key.
The hollowed explorer.exe process writes and runs another binary, D1C6.tmp.exe (SHA256: 5f3efdc65551edb0122ab2c40738c48b677b1058f7dfcdb86b05af42a2d8299c) into the Temp folder. D1C6.tmp.exe then drops and executes a copy of itself named lyk.exe. Once running, lyk.exe connects to IP addresses that act as DNS proxy servers for the Namecoin network. It then attempts to connect to the C&C server vinik.bit inside the NameCoin infrastructure. The C&C server commands the malware to connect or disconnect to an IP address; download a file from a certain URL and execute or terminate the specific file; or sleep for a period of time.
While Microsoft has stated that customers running Windows 7, 8.1, and 10 with Windows Defender AV or Microsoft Security Essentials are protected, it recommends that users upgrade to its latest operating system, which is Windows 10. In fact, the company has also encouraged customers to utilize Windows 10 S to protect themselves against such threats.