Disruption of a large-scale hacker attack on Windows users in Russia: part 2

Original author: Windows Defender Research
  • Transfer
More recently, we prevented a massive attack using the Dofoil Trojan , the purpose of which was to install malware for cryptocurrency mining on hundreds of thousands of computers. Using behavioral monitoring, machine learning models, and a multi-level protection system, Windows Defender antivirus software was able to effectively detect and block an attack for several milliseconds.

Today we will tell you more about the attack itself, the infection paths and share the timeline. Look under the cat!

Immediately after detecting the attack, we were able to determine where exactly a huge number of attempts to install malware were made. Typically, the Dofoil Trojan (also known as Smoke Loader) is distributed in a variety of ways, including spam messages and exploit kits. For the attack that began on March 6, a different scheme was used: most of the malicious files were created by the mediaget.exe process.

This process refers to MediaGet, a BitTorrent client that matches the classification of families of potentially unwanted applications . Users often use the MediaGet application to search and download programs and multimedia files from sites with a dubious reputation. Using such file sharing applications increases the risk of downloading malware.

However, having studied the attack, we came to the conclusion that the infection with the Dofoil crypto miner is not related to the downloading of torrent files. Earlier, we did not observe such a scheme in other file-sharing applications. The mediaget.exe process always wrote Dofoil samples to the% TEMP% folder named my.dat. The most common source of infection was the% LOCALAPPDATA% \ MediaGet2 \ mediaget.exe file (SHA-1: 3e0ccd9fa0a5c40c2abb40ed6730556e3d36af3c).

Recommended materials : statistics on the attack, useful information and response data for Windows Defender, see the article Disrupting a large-scale hacker attack on Windows users in Russia .

Timeline of an attack

A comprehensive study of the Dofoil attack, launched on March 6, revealed that it was a carefully planned campaign that has been prepared by attackers since mid-February. To implement the plan, the attackers first spread the virus through an update to the MediaGet program, which users installed on their computers. The timeline below displays the main events as part of the Dofoil attack.

Рис. 1. Attack Timeline via MediaGet

MediaGet software update infection

The process of infecting an update for MediaGet, which eventually led to a mass attack, is described in the following diagram. The trusted mediaget.exe application downloads the update.exe executable file and runs it on the computer to install a new mediaget.exe instance. A new instance of the mediaget.exe application has all the same functions as the genuine one, but there is a loophole in it.

Рис. 2. Procedure for updating the update file
The entire installation procedure for the infected update file is monitored by the Windows Defender ATP service. The following process tree shows how the mediaget.exe process injects the infected signed update.exe file.

Рис. 3. Detection of malicious update process in Windows Defender ATP

Infected update.exe file

Downloaded update.exe is an InnoSetup SFX batch file into which the mediaget.exe infected Trojan file is embedded. When launched, this executable file injects the unsigned version of the mediaget.exe application infected with the trojan .

Рис. 4. Certificate data of the infected update.exe file

Update.exe is signed by a third-party software developer not affiliated with MediaGet (it is likely that this company is a victim of intruders). The executable file contains code signed by another certificate, the task of which is to simply transfer the same signature confirmation requirement as in the original mediaget.exe file. The update code verifies the certificate data, confirming that it is valid and properly signed. If the certificate is signed, it checks whether the hash value matches the value received from the hash server in the mediaget.com infrastructure. The following illustration shows a code snippet that validates valid signatures for the update.exe file.

Рис. 5. Update code mediaget.exe

Trojan infected file mediaget.exe

The mediaget.exe file infected by the Trojan, recognized by Windows Defender AV as Trojan: Win32 / Modimer.A, performs the same functions as the original file, but it is not signed and has a loophole. This malicious binary is 98% the same as the MediaGet source binary. According to the following PE data, other PDB data and a different file path are indicated in the executable file.

Рис. 6. Comparison of the PDB paths of a signed and Trojan-infected executable file
When a malicious program is launched, a list of management and control (C&C) servers is created.

Рис. 7. List of C&C servers

Regarding the built-in C&C list, it is important to note that the top-level domain .bit is not a domain approved by ICANN and is supported by the NameCoin infrastructure. NameCoin is a distributed system of alternative root DNS servers that implements the principle of blockchain models. This system provides anonymous domains. Since .bit domain names are not resolved by standard DNS servers, the malware embeds a list of 71 IPv4 addresses that are used as NameCoin DNS servers.

The malware then uses NameCoin servers for DNS lookups of .bit domains. From that moment, these names are placed in the DNS cache of the computer and all future searches are resolved without specifying NameCoin DNS servers.

The first call to the C&C server occurs one hour after the program starts.

Рис. 8. Timer for starting the connection to the C&C server. The
malware selects one of the four C&C servers. The program uses the HTTP protocol for the exchange of management and control data.

Рис. 9. Connection to the C&C server
The loophole code collects information about the system and sends it to the C&C server through a POST request.

Рис. 10. System Information
The C&C server returns various commands to the client. The following answer contains the HASH, IDLE, and OK commands. The IDLE command sets the process to wait for a certain period (in seconds, for example, 7200 seconds = 2 hours) before accessing the C&C server again.

Рис. 11. Management and control
commands One of the loophole commands is RUN, which receives the URL from the command line of the C&C server. The malware then downloads the file from the URL, saves it to the% TEMP% \ my.dat folder and launches it.

Рис. 12. RUN command processing code
This RUN
command has been used to distribute the Dofoil Trojan since March 1, and as part of the March 6 attack. The Windows Defender ATP notification process tree shows the data exchange between the malicious process mediaget.exe and goshan.online, one of the confirmed C&C servers. After that, the program injects and runs the my.dat (Dofoil) file, which ultimately leads to the CoinMiner component.

Рис. 13. Dofoil, CoinMiner Download and Run Process

Рис. 14. Windows Defender ATP notification system process tree
As part of the attack, the Dofoil Trojan was used to deliver the CoinMiner malware, the task of which is to use the resources of user computers for cryptocurrency mining in favor of attackers. During the attack, the Dofoil Trojan used sophisticated methods of introducing malicious code into the address space of processes, mechanisms for ensuring stability, and methods of evading detection. Windows Defender ATP successfully detects this behavior at all stages of infection.

Рис. 15. Detecting the implementation of the Dofoil process in Windows Defender ATP.
We reported the results of our research to the MediaGet developers to help them correctly analyze the incident.

We also told the certificate holders how their code signing certificate was used by attackers in the update.exe file (fingerprint: 5022EFCA9E0A9022AB0CA6031A78F66528848568).

Real-time virus protection

The carefully planned and pre-prepared Dofoil campaign, discovered on March 6, is a prime example of the multilevel viral cyberattack that is happening more and more today. When committing typical cybercrimes, more and more sophisticated techniques are now used, which were previously associated with more sophisticated cyber attacks. Windows Defender Advanced Threat Protection (Windows Defender ATP) provides an advanced set of next-generation security tools that protect clients in real time from a wide variety of attacks.

Enterprise clients using Windows Defender AV antivirus that have activated the function of protection against potentially untrustworthy applications , were protected from MediaGet software infected with a trojan, which turned out to be the source of the March 6th virus attack.

Windows Defender AV provides reliable protection for clients against attacks using Dofoil. Behavioral monitoring and analysis technologies revealed Dofoil's unusual resilience mechanism and immediately sent the appropriate signal to the cloud protection service , where numerous machine learning models instantly blocked most of the detected threats when they appeared.

A comprehensive analysis of the attack also showed that the advanced detection libraries in Windows Defender ATP flagged malicious Dofoil behavior at all stages of infection. The malicious behavior includes code injection, methods of protection against detection, and the introduction of components for cryptocurrency mining. Security professionals can use the Windows Defender ATP platform to detect attacks and respond effectively to them. Windows Defender ATP also provides built-in protection tools for Windows Defender AV, Windows Defender Exploit Guard and Windows Defender Application Guard, providing flawless security management at all levels.

Compromise Indicators (IOCs)

File name SHA-1 Description Signatory date of signing Name of detected malware
mediaget.exe 1038d32974969a1cc7a79c3fc7b7a5ab8d14fd3e The official executable file mediaget.exe GLOBAL MICROTRADING PTE. LTD. 2:04 PM 10/27/2017 PUA: Win32 / MediaGet
mediaget.exe 4f31a397a0f2d8ba25fdfd76e0dfc6a0b30dabd5 The official executable file mediaget.exe GLOBAL MICROTRADING PTE. LTD. 4:24 PM 10/18/2017 PUA: Win32 / MediaGet
update.exe 513a1624b47a4bca15f2f32457153482bedda640 Trojan-infected update executable DEVELTEC SERVICES SA DE CV - Trojan: Win32 / Modimer.A
mediaget.exe 3e0ccd9fa0a5c40c2abb40ed6730556e3d36af3c,
Trojan infected executable file mediaget.exe Not signed - Trojan: Win32 / Modimer.A
my.dat d84d6ec10694f76c56f6b7367ab56ea1f743d284 Embedded Malicious Executable - - TrojanDownloader: Win32 / Dofoil.AB
wuauclt.exe 88eba5d205d85c39ced484a3aa7241302fd815e3 CoinMiner Embedded Program - - Trojan: Win32 / CoinMiner.D