Microsoft’s Windows Defender Halts “Massive” Dofoil Malware Attack

Microsoft has revealed that Windows Defender blocked a momentous malware dispersion campaign that bid to infect over 400,000 clients.

It is now common knowledge that there are multiple types of malware which can significantly endanger the proper operation of computer systems.

Nonetheless, if there is a particular category of malware that has grown into prominence in recent times, then it is “hidden cryptocurrency miners.”

According to recently released reports, tech giant Microsoft has just brought an end to a significant malware campaign that attempted to infect hundreds of thousands of computer systems under just 12 hours.

In an official statement, the global tech giant stated that Windows Defender apparently brought to a halt a massive malware dispersal campaign which tried to target more than 400,000 consumers with an exclusive cryptocurrency miner in March.

Microsoft Corporation attributes these particular detections to computers already infected by the Dofoil malware, also referred to as Smoke Loader. This is a prevalent malware downloader.

Approximately 75 percent of the supposed infection attempts were detected in Russia.

How Windows Defender Blocked Massive Malware Campaign

The Microsoft Windows Defender Research team noted in a public statement that on March 6, just before midday (PST), Windows Defender AV apparently blocked over 80,000 cases of multiple sophisticated Trojans which exhibited enhanced cross-process injection practices, evasion methods and persistence mechanisms.

What’s more, the team further went on to highlight that within the ensuing 12 hours after the detection, over 400,000 cases were identified, three-quarters of which were identified in Russia.

Other places where the cases were recorded include Turkey, which accounted for about 18 percent, together with Ukraine, which accounted for a mere 4 percent of all the global instances encountered.

The Microsoft team credits the instant discovery of this particular Trojan to the exclusive cloud-powered and behavior-based Microsoft machine learning models incorporated within Windows Defender.

Such is the efficacy with their learning models that the process of discovery, identification and threat nullification rolled out almost instantly.

The accredited operating system maker outlines that its exclusive machine learning models identified the malware within mere milliseconds, categorized this threat as severe in the ensuing seconds and went on to subsequently block it within minutes.

The Microsoft Windows Defender Research team also went on to state that individuals who were affected by these distinct infection attempts early on in the campaign would have subsequently noticed blocks under the precise machine learning names such as Fuerboos, Fuery, Azden or Cloxer.

However, sometime later, the names of the malware identify themselves exclusively using their distinct family names—in this case, Coinminer or Dofoil.

Malware C&C Servers Located on Namecoin Network

It is now common knowledge that there are multiple types of malware which can significantly endanger the proper operation of computer systems.

In their report, Microsoft identifies that the newly identified malware, Dofoil, ideally tried to hollow the OS process exploer.exe in efforts to inject malicious code.

This code, according to the team, is exclusively designed to spin off another exploer.exe procedure which would subsequently download and run a distinct cryptocurrency miner, “Coinminer.” Coinminer was camouflaged as a genuine Windows binary-wuauclt.exe.

The research team states that Windows Defender identified this exclusive operation as malicious, despite the fact that wuauclt.exe happened to be an authentic Windows binary.

It was, unfortunately, operating from an erroneous disk location.

This subsequent binary generated apprehensive traffic while Coinminer was attempting to make contact with a distinct command and control (C&C) server, located on the Namecoin network infrastructure.

Surprisingly, despite the recent discovery of this Coinminer malware, it is not the first of its kind in the wide array of malware to store C&C servers on the .bit domains of Namecoin.

Malware Allegedly Attempted to Mine Electroneum

According to Microsoft, in their comprehensive report released in the wake of the discovery, the Coinminer malware allegedly attempted to mine the Electroneum cryptocurrency.

Nonetheless, Microsoft stated that all users of Windows (7, 8.1 and 10) that are running the Microsoft Security Essentials security software or Windows Defender AV were all automatically protected from the malware.

Although Microsoft is credited with the discovery, other antivirus makers and vendors would have also most likely identified this malware threat.

This is because Smoke Loader (Dofoil) is a known malware strain which has been quite active and prominent for years.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.