Jump to content
Login new information ×
Login new information
Donations campaign phase one 2024

Update on Dofoil : Trojanized BitTorrent Software Update Hijacked 400,000 PCs Last Week

steven36

By steven36
in Security & Privacy News

Recommended Posts

steven36

steven36

Posted
Posted

A massive malware outbreak that last week infected nearly half a million computers with cryptocurrency mining malware in just a few hours was caused by a backdoored version of popular BitTorrent client called MediaGet.

 

https://s7d7.turboimg.net/sp/787ec987a130b2f035b46bdfb326e708/mediagets.jpg

 

Dubbed Dofoil (also known as Smoke Loader), the malware was found dropping a cryptocurrency miner program as payload on infected Windows computers that mine Electroneum digital coins for attackers using victims' CPU cycles.

Dofoil campaign that hit PCs in Russia, Turkey, and Ukraine on 6th March was discovered by Microsoft Windows Defender research department and blocked the attack before it could have done any severe damages.
 
At the time when Windows Defender researchers detected this attack, they did not mention how the malware was delivered to such a massive audience in just 12 hours.

However, after investigation Microsoft today revealed that the attackers targeted the update mechanism of MediaGet BitTorrent software to push its trojanized version (mediaget.exe) to users' computers.
"A signed mediaget.exe downloads an update.exe program and runs it on the machine to install a new mediaget.exe. The new mediaget.exe program has the same functionality as the original but with additional backdoor capability," the researchers explain in a blog post published today.

Researchers believe MediaGet that signed update.exe is likely to be a victim of the supply chain attack, similar to CCleaner hack that infected over 2.3 million users with the backdoored version of the software in September 2017.

 

https://s7d4.turboimg.net/sp/28a64b9ebbe0a3a019156247c23f3393/malware-attack.png

 

Also, in this case, the attackers signed the poisoned update.exe with a different certificate and successfully passed the validation required by the legitimate MediaGet.
Quote

"The dropped update.exe is a packaged InnoSetup SFX which has an embedded trojanized mediaget.exe, update.exe. When run, it drops a trojanized unsigned version of mediaget.exe."

 

Once updated, the malicious BitTorrent software with additional backdoor functionality randomly connects to one (out of four) of its command-and-control (C&C) servers hosted on decentralized Namecoin network infrastructure and listens for new commands.
 

It then immediately downloads CoinMiner component from its C&C server, and start using victims' computers mine cryptocurrencies for the attackers.

Using C&C servers, attackers can also command infected systems to download and install additional malware from a remote URL.

The researchers found that the trojanized BitTorrent client, detected by Windows Defender AV as Trojan:Win32/Modimer.A, has 98% similarity to the original MediaGet binary.

Microsoft says behavior monitoring and AI-based machine learning techniques used by its Windows Defender Antivirus software have played an important role to detect and block this massive malware campaign.
 
 
Link to comment
Share on other sites
  • Replies 5
  • Views 1k
  • Created
  • Last Reply
  • Administrator
DKT27

DKT27

Posted
  • Administrator
Posted

Can anyone confirm the version number of the effected software. Is the version 2.01.3790 fixed version or the effected version here.

Link to comment
Share on other sites
sixoclock

sixoclock

Posted
Posted
6 hours ago, DKT27 said:

Can anyone confirm the version number of the effected software. Is the version 2.01.3790 fixed version or the effected version here.

 

 

AFAIK, it has not been fixed.  Check your sha-1 below:

Indicators of compromise (IOCs)

File name SHA-1 Description Signer Signing date Detection name
mediaget.exe 1038d32974969a1cc7a79c3fc7b7a5ab8d14fd3e Offical mediaget.exe executable GLOBAL MICROTRADING PTE. LTD. 2:04 PM 10/27/2017 PUA:Win32/MediaGet
mediaget.exe 4f31a397a0f2d8ba25fdfd76e0dfc6a0b30dabd5 Offical mediaget.exe executable GLOBAL MICROTRADING PTE. LTD. 4:24 PM 10/18/2017 PUA:Win32/MediaGet
update.exe 513a1624b47a4bca15f2f32457153482bedda640 Trojanized updater executable DEVELTEC SERVICES SA DE CV Trojan:Win32/Modimer.A
mediaget.exe 3e0ccd9fa0a5c40c2abb40ed6730556e3d36af3c,
fda5e9b9ce28f62475054516d0a9f5a799629ba8 		Trojanized mediaget.exe executable Not signed Trojan:Win32/Modimer.A
my.dat d84d6ec10694f76c56f6b7367ab56ea1f743d284 Dropped malicious executable  –  – TrojanDownloader:Win32/Dofoil.AB
wuauclt.exe 88eba5d205d85c39ced484a3aa7241302fd815e3 Dropped CoinMiner  –  – Trojan:Win32/CoinMiner.D
Link to comment
Share on other sites
gingerbread80

gingerbread80

Posted
Posted

Malware attack on 400k PCs caused by backdoored BitTorrent app

 

A recent malware campaign that attempted to install a resource-draining currency miner on more than 400,000 computers in 12 hours was caused by a malicious backdoor that was sneaked into a BitTorrent application called Mediaget, a Microsoft researcher said Tuesday.

The failed campaign is the latest example of what researchers call a supply-chain attack, which aims to infect large numbers of people by compromising a popular piece of hardware or software. Other examples of recent supply-chain attacks include a backdoored update of the CCleaner disk-maintenence program delivered to 2.27 million people, a tainted version of the Transmission BitTorrent client that installed ransomware on Macs, and a collection of malicious Android apps that came preinstalled on phones from two different manufacturers.

One of the more significant supply-chain attacks to come to light was the tampering of the update process for M.E.Doc, a tax-accounting application that's widely used in Ukraine. The compromised update seeded the NotPetya wiper worm, which shut down computers all over the world last July.

Last week, Microsoft researchers reported that the company's Windows Defender antivirus blocked more than 400,000 instances by several advanced trojans to infect computers primarily located in Russia, Turkey, and Ukraine. The trojans were new variants of the Dofoil malware, which also goes by the name Smoke Loader. (Smoke Loader, by the way, is the name of malware that AV provider Kaspersky Lab said infected a poorly secured computer in Maryland when it sent highly sensitive National Security Agency secrets to the Kaspersky Moscow headquarters.) The Dofoil trojans Microsoft analyzed caused infected computers to install a program called CoinMiner, which tried to use infected computer resources to mine cryptocurrencies for the attackers.

 

Read More

Link to comment
Share on other sites
bubbada

bubbada

Posted
Posted

back in the day it was about stuffing up pcs now they are making money off it.<_<

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...