Microsoft detected a large number of attacks with coin mining malware in Russia
Microsoft announced earlier this week that it detected and blocked approximately 400,000 infection attempts with a trojan that contained an onboard coinminer for the cryptocurrency Electroneum. About seventy percent of the attempts took place in Russia.
In its analysis, Microsoft does not say anything about the origin of the infection attempts, which involved the Dofoil trojan better known as Smoke Loader. According to previous information from security company Kaspersky, this trojan was developed by a Russian in 2011 and then offered for sale on the Internet. Microsoft writes that the trojan “uses advanced injection techniques, as well as methods to evade detection and remain on a system.” In the attack the company detected on March 6, the trojan carried an Electroneum coin miner as a payload.
While the majority of infection attempts took place in Russia, 18 percent of the attempts took place in Turkey and 4 percent in Ukraine. The trojan attempted to inject code into the explorer.exe process using a technique known as process hollowing, which replaces the code of a copied legitimate process with malicious code. That malicious process then downloads the coinminer, which pretends to be a legitimate Windows file called wuauclt.exe, which plays a role in the Windows update process.
The coinminer in question would support Nicehash and in the current case mine Electroneum. Through registry changes, the malware was able to remain on a system after a reboot. According to Microsoft, the trojan was controlled using command and control servers and the Namecoin network was used for communication.
The Redmond-based company mentions that machine learning has played an important role in the detection of the malware. Because Defender flagged the persistence method as suspicious and sent it for analysis, a machine learning model was also able to determine the presence of malicious software. Initially, Defender blocked 80,000 infection attempts. This number increased in the following 12 hours with a further 320,000 detections.