Microsoft has released a blog post detailing that its Windows Defender (Windows 7, 8.1 and 10) blocked “massive” Dofoil cryptocurrency mining activities a few days ago. Windows Defender uses behavior-based signals and machine learning models to detect and intercept nearly 80,000 high-level Trojan instances. The company claims that these Trojans are a variant of Dofoil and are accompanied by the payload of a miner.
After the first detection, another 400,000 attacks occurred in the next 12 hours, of which 73% were in Russia, 18% in Turkey, and 4% in Ukraine. Due to the current demand for cryptocurrencies, the Dofoil malware family is considered particularly dangerous because the attacker has the opportunity to include cryptocurrency mining components in their code. The cryptocurrency mining activity detected by Windows Defender uses code injection technology on explorer.exe to distribute new instances of legitimate processes and replace its code with malware.
Used with permission from Microsoft
This infected process will produce another instance of performing a coin mining payload. In normal circumstances, it may be difficult for the user to detect this because the malicious process is a valid Windows binary but the location of the run is incorrect.
To stay hidden, Dofoil will modify the registry. The knocked-out explorer.exe process creates a copy of the original malware in the roaming AppData folder and renames it to ditreahah.exe. Then it creates a registry key or modifies an existing registry key to point to a newly created copy of the malware.
Although Microsoft claims that customers running Windows 7, 8.1, and 10 are protected by Windows Defender AV or Microsoft Security Essentials, it recommends that users upgrade to the latest operating system, Windows 10. In fact, the company also encourages customers to use Windows 10 S to protect themselves from these threats.
Source: neowin
