Windows Defender Antivirus Prevents Major Cryptocurrency Mining Dofoil Attack

A new report suggests that Microsoft’s Windows Defender antivirus successfully thwarted a major dofoil attack that occurred on March 6, 2018.

Global Crypto Mining Attack

The Seattle-based software firm confirmed in a blog post that the attack targeted over 800,000 computers primarily across mainland Russia. Within twenty-four hours of the initial outbreak, instances of this new trojan were also reported in Turkey and Ukraine.

The smoke loader attack, also known as a ‘dofoil attack,’ carried a miner payload that was supposed to run in the background and utilize the processing resources of the host computer to mine cryptocurrencies.

It is reported that the malware was programmed to remain in a dormant state for some time before executing. Once activated, however, it would indefinitely mine digital coins without the knowledge of the user. Dofoil belongs to the family of trojans that connect to a remotely located server to download and execute files.

Security experts at Microsoft have said that “Behavior-based signals coupled with cloud-powered machine learning models uncovered this new wave of infection attempts.”

As soon as the attack was first spotted, Windows Defender blocked the threats within milliseconds using its cloud-based machine learning models.

Moments later, it was confirmed that similar attacks had been reported across many networks worldwide. The alert level was raised to severe and cybersecurity experts then classified it as a proper malware attack.

Experts have added that all computers running Windows Defender antivirus are safe from this attack, which means that the average modern Windows machine is entirely immune.

New Attack Vector: Phishing and Mining

In recent times, hacker groups have begun modifying malware to mine cryptocurrencies instead of simply wreaking havoc. There have also been cases of in-browser mining where a compromised website forces its visitors to mine cryptocurrencies.


The drawing of excessive processor cycles by a webpage makes the user’s computer unusable but allows the perpetrators to benefit immensely.

Digital tokens seem like a more viable reward for hackers as they can exploit the fundamental characteristics of some currencies like Monero, which obfuscates the identity of the transacting parties.

Hackers target a broad audience by sending an infected file or a link to a corrupted file that is located on some remote server. When a user downloads the file onto his computer, the malware infects the system and performs its duties.

The dofoil attack was programmed to work using ‘process hollowing.’ Process hollowing is the replacing of legitimate parts of the code with those of malware.

In this instance, the attack was programmed to perform process hollowing on the explorer.exe file. The attack replaced the original files at C:\Windows\syswow64\explorer.exe with its version of it.

The malware reportedly connected to a remote server and downloaded ‘Trojan:Win32/Dofoil.AB‘ and ‘Trojan:Win32/CoinMiner.D‘ files and saved them to a location on the host computer, where it was kept it hidden to run in the background.

This is not the first instance of cyber hackers targeting computers to mine cryptocurrencies. Furthermore, on two separate occasions, McAfee discovered and prevented cyber attacks targeting cryptocurrency users and financial institutions.

On February 12, 2018, McAfee reported that the Lazarus cyber attacking group had attempted to spread malware on computers and devices worldwide.

Source: Read Full Article

Leave a Reply

click fraud detection