Jump to content
Donations Read more... ×
Sign in to follow this  
sixoclock

Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign

Recommended Posts

sixoclock

Just before noon on March 6 (PST), Windows Defender Antivirus blocked more than 80,000 instances of several sophisticated trojans that exhibited advanced cross-process injection techniques, persistence mechanisms, and evasion methods. Behavior-based signals coupled with cloud-powered machine learning models uncovered this new wave of infection attempts. The trojans, which are new variants of Dofoil (also known as Smoke Loader), carry a coin miner payload. Within the next 12 hours, more than 400,000 instances were recorded, 73% of which were in Russia. Turkey accounted for 18% and Ukraine 4% of the global encounters.

Figure 1: Windows Defender ATP machine timeline view with Windows Defender Exploit Guard event

Figure 1: Geographic distribution of the Dofoil attack components

Windows Defender AV initially flagged the attack’s unusual persistence mechanism through behavior monitoring, which immediately sent this behavior-based signal to our cloud protection service.

  1. Within milliseconds, multiple metadata-based machine learning models in the cloud started blocking these threats at first sight.
  2. Seconds later, our sample-based and detonation-based machine learning models also verified the malicious classification. Within minutes, detonation-based models chimed in and added additional confirmation.
  3. Within minutes, an anomaly detection alert notified us about a new potential outbreak.
  4. After analysis, our response team updated the classification name of this new surge of threats to the proper malware families. People affected by these infection attempts early in the campaign would have seen blocks under machine learning names like Fuery, Fuerboos, Cloxer, or Azden. Later blocks show as the proper family names, Dofoil or Coinminer.

 

MORE

Share this post


Link to post
Share on other sites
sixoclock

More info on the attack....

 

Windows attack: Poisoned BitTorrent client set off huge Dofoil outbreak, says Microsoft

Attackers used a popular BitTorrent client to spread coin-mining malware to over 400,000 PCs in a matter of hours.

The Dofoil outbreak that attempted to infect over 400,000 Windows PCs within hours last week was caused by attack on an update server that replaced a BitTorrent client called MediaGet with a near-identical but back-doored binary.

 

The 'MediaGet update poisoning', as Microsoft calls it, explains why the large-scale attempt to spread a cryptocurrency miner predominantly hit PCs in Russia, Turkey, and Ukraine.

 

Microsoft treats MediaGet as a potentially unwanted application, but in this case the Russian-developed BitTorrent client was a bridge to victims.

As Windows Defender researchers have highlighted, the Dofoil outbreak was a priority because it could have just as easily dropped ransomware using the attack vector.

 

While file-sharing apps can be used to spread malware, Microsoft's researchers noticed this outbreak wasn't coming from torrent downloads and wasn't seen in other file-sharing apps. Instead, malware was coming from the process mediaget.exe.

 

A "carefully planned attack" was implemented in mid-February, about a fortnight before the malware was distributed, according to Microsoft.

"To set the stage for the outbreak, attackers performed an update poisoning campaign that installed a trojanized version of MediaGet on computers," the Windows Defender Research team wrote.

 

A signed mediaget.exe from MediaGet's update server downloads a program called update.exe which installs a new, unsigned mediate.exe that works like the original only it has a backdoor.

 

Microsoft believes the third-party company that signed update.exe is likely to be a victim. The attackers signed the poisoned update.exe with a different certificate to pass the validation required by the legitimate MediaGet.

 

The trojanized mediate.exe file is 98 percent like the legit MediaGet binary. To evade detection the trojan performs process-hollowing on the legitimate explorer.exe process and injects malware into it.

 

The incident was notable to Microsoft because of the effort that went into laying the groundwork for the attack and the advanced techniques it used to conceal and maintain infections.

 

SOURCE

Share this post


Link to post
Share on other sites
sixoclock

Poisoned peer-to-peer app kicked off Dofoil coin miner outbreak

On March 7, we reported that a massive Dofoil campaign attempted to install malicious cryptocurrency miners on hundreds of thousands of computers. Windows Defender Antivirus, with its behavior monitoring, machine learning technologies, and layered approach to security detected and blocked the attack within milliseconds. Windows 10 S, a special configuration of Windows 10 providing Microsoft-verified security, was not vulnerable to this attack.

Immediately upon discovering the attack, we looked into the source of the huge volume of infection attempts. Traditionally, Dofoil (also known as Smoke Loader) is distributed in multiple ways, including spam email and exploit kits. In the outbreak, which began in March 6, a pattern stood out: most of the malicious files were written by a process called mediaget.exe.

 

This process is related to MediaGet, a BitTorrent client that we classify as potentially unwanted application (PUA). MediaGet is often used by people looking to download programs or media from websites with dubious reputation. Downloading through peer-to-peer file-sharing apps like this can increase the risk of downloading malware.

During the outbreak, however, Dofoil didn’t seem to be coming from torrent downloads. We didn’t see similar patterns in other file-sharing apps. The process mediaget.exe always wrote the Dofoil samples to the %TEMP% folder using the file name my.dat. The most common source of infection was the file %LOCALAPPDATA%\MediaGet2\mediaget.exe (SHA-1: 3e0ccd9fa0a5c40c2abb40ed6730556e3d36af3c).

Tracing the infection timeline

Our continued investigation on the Dofoil outbreak revealed that the March 6 campaign was a carefully planned attack with initial groundwork dating back to mid-February. To set the stage for the outbreak, attackers performed an update poisoning campaign that installed a trojanized version of MediaGet on computers. The following timeline shows the major events related to the Dofoil outbreak.

fig1-timeline.png

Figure 1. MediaGet-related malware outbreak timeline (all dates in UTC).

MediaGet update poisoning

The update poisoning campaign that eventually led to the outbreak is described in the following diagram. A signed mediaget.exe downloads an update.exe program and runs it on the machine to install a new mediaget.exe. The new mediaget.exe program has the same functionality as the original but with additional backdoor capability.

fig2-update-poisoning-flow.png

Figure 2. Update poisoning flow

 

MORE

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×