A couple of days ago, Windows Defender blocked more than 80,000 instances of several new variants of the Dofoil (aka Smoke Loader) downloader. After detecting abnormal behavior, the Microsoft’s Defender managed to protect Windows 10, 8.1 and 7 users within minutes.
During the next 12 hours, the experts registered more than 400,000 instances of Dofoil malware – 73% in Russia, 18% in Turkey, and 4% in Ukraine.
Dofoil downloader performs process hollowing, which involves spawning a new instance of a legitimate process – in this case, explorer.exe – and replacing the good code with malware. After that, the hollowed explorer.exe spins a second instance which drops and runs coin mining malware disguising as the legitimate binary, wuauclt.exe.
According to Microsoft, Windows Defender detected the issue since, “Even though it uses the name of a legitimate Windows binary, it’s running from the wrong location. The command line is anomalous compared to the legitimate binary. Additionally, the network traffic from this binary is suspicious.”
Dofoil communicates with a C&C server, vinik.bit, inside the Namecoin distributed framework. Security experts described Namecoin as, “a system of alternative root DNS servers based on Bitcoin technology.”
Dofoil downloads a cryptominer which supports NiceHash, letting it mine various cryptocurrencies.
“The samples we analyzed mined Electroneum coins,” Microsoft says.
According to the researchers, the decision to use Dofoil for dropping Electroneum mining malware may be driven by the potential growth in the currency bolstered by a massive campaign trying to infect nearly half a million computers specifically to drive up the value.
“As demonstrated,” Microsoft writes, “Windows Defender Advanced Threat Protection (Windows Defender ATP) flags malicious behaviors related to installation, code injection, persistence mechanisms, and coin mining activities. Security operations can use the rich detection libraries in Windows Defender ATP to detect and respond to anomalous activities in the network.”
In general, this is true, however, not everyone believes it goes far enough as such reports are fundamentally marketing documents presenting the company concerned in the best light possible.
One of the figures in the Microsoft report depicts the ‘alert process tree’ used to determine the presence of the malware. This includes a VirusTotal hash with the comment, “VirusTotal detection ratio 38/67.”
Considering the fact that more than half of the anti-malware engines supported by VirusTotal classify the file as malware, it is certain that this is malware indeed.