Buzz
Dubbed Dofoil, or Smoke Loader, this malicious software disrupts cryptocurrency mining programs on infected Windows computers and allows attackers to utilize victims' CPU.
A malicious software exploiting cryptocurrency infected over 500,000 computers in just a few hours.
On March 6th, Windows Defender unexpectedly detected over 80,000 instances of certain variants of Dofoil, a concerning figure. In the subsequent 12 hours alone, over 400,000 cases were recorded.
Research teams found that these instances spread rapidly across countries including Russia, Turkey, and Ukraine, disguising themselves as legitimate Windows binaries to avoid detection.
Dofoil employs customizable mining applications capable of mining various cryptocurrencies. However, in this campaign, the malicious software is programmed to specifically mine Electroneum. With the rapid growth of the cryptocurrency market, there are thousands of cryptocurrency exchanges established to meet demand, leading to increased associated risks. If you're investing in any cryptocurrency, make sure to choose the most reputable exchange.
According to researchers, the Dofoil trojan utilizes a technique known as 'process hollowing', which involves creating a new instance of a legitimate process with malicious code to execute secondary code instead of the original source, deceiving process monitoring tools into believing the original process is running.
'Following that, explorer.exe was process hollowed back to case 2, removing and running the malicious software exploiting cryptocurrency disguised as a legitimate Windows binary, wuauclt.exe'.
To remain concealed on the infected system for an extended period to mine Electroneum using the victim's computer resources, the Dofoil trojan will proceed to modify the Windows registry.
'Process hollowed explorer.exe creates a copy of the original malicious software in the AppData Roaming directory and renames it to ditereah.exe,' researchers said. 'It then creates a registry key or edits an existing registry key to point to the newly created copy of the malicious software. In the sample we analyzed, the malware edited the OneDrive Run key.'
Dofoil also remotely connects to a Command & Control (C&C) server on the Namecoin network infrastructure and listens for new commands, including installing additional malicious software.
Microsoft stated that monitoring behaviors and utilizing machine learning techniques based on artificial intelligence (AI) play a crucial role in detecting and halting campaigns spreading malicious software exploiting cryptocurrency, which infected over 500,000 computers in just a few hours.
To protect their devices, users should download and install up-to-date antivirus software, such as BKAV or KIS.
The popular game PlayerUnknown's Battlegrounds (PUBG) continues to achieve great success. Recently, the game's developer announced that PUBG 2018 introduces a new map and improves gameplay stability, creating a more intense battlefield with a smaller map. If you're a PUBG player, you can experience the new update on the test server in April.
