Disruption of a large-scale hacker attack on Windows users in Russia

Original author: Windows Defender Research
  • Transfer
On March 6, Windows Defender blocked more than 80,000 instances of several complex trojans that used sophisticated techniques for injecting malicious code into the address space of processes and no less sophisticated mechanisms to ensure stability and avoid detection. It was possible to identify a new wave of infection attempts thanks to signals from behavioral analysis systems in combination with cloudy machine learning models.

The second part with a detailed description of the attack and infection paths.

The Trojans used in the attack were new varieties of Dofoil (also known as Smoke Loader). They tried to infect devices with cryptocurrency mining malware. Over the next 12 hours, more than 400,000 attacks were recorded, of which 73% were in Russia, 18% in Turkey and 4% in Ukraine.

The geographic distribution of the components of the Dofoil attack.

At the very beginning of the attack, with the help of behavioral monitoring, Windows Defender antivirus detected an unusual mechanism of attack persistence and stability. Antivirus immediately sent the appropriate signal to our cloud protection service.

  1. After a few milliseconds, numerous cloud-based machine learning models based on metadata already blocked the detected threat when it appeared.
  2. After a couple of seconds, our machine learning models based on sample analysis and detonation confirmed that the program was reasonably classified as malicious. A few minutes later, detonation-based models were connected and additionally confirmed the findings of previous mechanisms.
  3. A few minutes after the start of the attack, the anomaly detection service notified our specialists about a new potential outbreak.
  4. After conducting the analysis, the Microsoft incident response team named the threats of this new wave a name corresponding to the classification of malware families. Thus, at the very beginning of the company, users received a warning about blocking this threat, in which it appeared under the names assigned by machine learning systems (for example, Fuery, Fuerboos, Cloxer or Azden). Those whose threat was blocked later saw it under the name of the malware family to which it belongs, i.e. Dofoil or Coinminer.

Users of Windows 10, Windows 8.1 and Windows 7 with Windows Defender or Microsoft Security Essentials antivirus software are fully protected from this malware outbreak.

A multi-level system of protection based on machine learning in the Windows Defender antivirus program
Artificial intelligence and threat detection based on analysis of behavior in Windows Defender are the basis of our protection system. Against this attack, a proactive defense mechanism based on artificial intelligence was applied. This approach is similar to multilevel machine-based protection, which stopped the outbreak of Emotet infection last month.

Code injection and cryptocurrency mining

Dofoil is the latest malware family to use crypto mining programs in its attacks. The cost of bitcoin and other cryptocurrencies remains attractive, and attackers take advantage of the emerging opportunities and embed mining components in attacks. For example, modern exploit kits do not contain ransomware, but cryptocurrency mining tools. Mining scripts are injected into fraudulent technical support sites, and even mining features are added to some banking Trojans.

The starting point of the Dofoil campaign that we discovered on March 6 was the Trojan replacing the explorer.exe process. Replacing a process is a code injection method in which a new instance of a genuine process is created (in this case c: \ windows \ syswow64 \ explorer.exe) and its code is replaced by a malicious one.

Detecting a process replacement by the Windows Defender ATP service (SHA-256: d191ee5b20ec95fe65d6708cbb01a6ce72374b309c9bfb7462206a0c7e039f4d, detected by Windows Defender antivirus under the name TrojanDownloader: Win32 / Dofoil.AB),
a second process is being launched that is malicious, it will run a malicious program that examines Windows wuauclt.exe.

Detection of cryptocurrency mining malware by the Widows Defender ATP service (SHA-256: 2b83c69cf32c5f8f43ec2895ec9ac730bf73e1b2f37e44a3cf8ce814fb51f120, it was detected by Windows Defender antivirus
that it uses the malicious program to run another file that isn’t used in another way. The command line does not look like the source binary. In addition, network traffic from this binary file is suspicious.

Windows Defender ATP alert process tree: IP protocol abnormal
Suspicious network activity displayed in the Windows Defender ATP

Windows Defender ATP notification process tree: a bogus process explorer.exe that creates suspicious connections
Dofoil uses a specialized mining application. Judging by the code, this application supports NiceHash, that is, it can mine various cryptocurrencies. The samples we analyzed were used to mine the Electroneum cryptocurrency.


Resilience is an important feature of malware mining software. Such programs use a variety of tricks to go unnoticed for a long time and mine cryptocurrencies using stolen computing resources.

To avoid detection, Dofoil modifies the registry. The fictitious process explorer.exe creates a copy of the original malware in the Roaming AppData folder and renames it into the ditereah.exe file. He then creates a registry key or modifies an existing one to point to a recently created copy of the malware. In the sample we analyzed, the OneDrive Run section was changed.

Windows Defender ATP notification process tree: creating a new malicious process (SHA-256: d191ee5b20ec95fe65d6708cbb01a6ce72374b309c9bfb7462206a0c7e039f4d) and changing the registry

Information exchange with management and control servers

Dofoil is a robust family of Trojan downloaders. They connect to the management and control (C&C) servers from which they receive commands for downloading and installing malware. In the March 6th campaign, Dofoil Trojans used the Namecoin decentralized network infrastructure to exchange information with management and control servers .

The fictitious process explorer.exe writes and runs another binary file, D1C6.tmp.exe (SHA256: 5f3efdc65551edb0122ab2c40738c48b677b1058f7dfcdb86b05af42a2d8299c), in the Temp folder. This file then creates and runs its copy under the name lyk.exe. The launched lyk.exe file connects to IP addresses that act as DNS proxies for the Namecoin network. Then the file tries to contact the vinik.bit management and control server in the NameCoin infrastructure. The management and control server instructs the malware to connect to or disconnect from the IP address, download the file using a specific link, launch a specific file, or interrupt its execution or go into sleep mode for a while.

Windows Defender ATP notification process tree: creating a temporary D1C6.tmp.exe file (SHA256: 5f3efdc65551edb0122ab2c40738c48b677b1058f7dfcdb86b05af42a2d8299c)
Windows Defender ATP notification process tree: connecting the lyk.exe file to IP addresses

Real-time protection in Windows 10

As the cost of cryptocurrencies grows, cybercriminal groups make more attacks with the aim of penetrating the network and stealth mining.

Windows Defender antivirus program uses a multi-level approach to security. The use of threat detection algorithms based on behavior analysis, universal patterns and heuristic analysis, as well as machine learning models on client devices and in the cloud provides real-time protection against new threats and epidemics.

As you can see from this example, the Windows Defender Advanced Threat Protection ( WDATP) service ) signals about malicious behavior associated with installing software, implementing code, stability mechanisms and operations for cryptocurrency mining. Security services can use the extensive WDATP libraries to detect abnormal network activity and take the necessary action. WDATP also includes security features from the Windows Defender Antivirus, Windows Defender Exploit Guard, and Windows Defender Application Guard antivirus programs, simplifying security management.