15 Mar 2018

There was a massive malware outbreak last week which has infected almost half a million computers with cryptocurrency mining malware within few hours. It was caused by a backdoored version of the popular BitTorrent client named MediaGet.

The malware known as Dubbed Dofoil or the Smoke Loader was found putting a cryptocurrency miner program as payload on the infected Windows computers that mine Electroneum digital coins for attackers with the help of victims’ CPU cycles.

The Microsoft Windows Defender research department have discovered the Dofoil campaign which attacked the PCs in Russia, Turkey, and Ukraine on 6th March and have blocked the attack before creating severe destruction.

When this attack was detected it was not mentioned how the malware was delivered to a large number of PC’s within few hours’ time.

After conducting further investigation Microsoft revealed that the attackers have targeted the update mechanism of MediaGet BitTorrent software to push its trojanized version (mediaget.exe) to users’ computers.

It was reported in a blog today that a signed mediaget.exe downloads an update.exe program and runs it on the machine to install a new mediaget.exe. This new mediaget.exe program has the same functionality as the original but has an additional backdoor capability.

Researchers assume MediaGet that signed update.exe might be a victim of the supply chain attack. Also, the attackers signed the poisoned update.exe with a different certificate and successfully passed the validation required by the legitimate MediaGet.

When it is updated the malicious BitTorrent software with additional backdoor functionality randomly connects to one of its command-and-control (C&C) servers hosted on decentralized Namecoin network infrastructure and listens for new commands. It soon downloads the CoinMiner component from its C&C server and start using victims’ computers mine cryptocurrencies.

With the help of C&C servers, the intruders can also command infected systems to download and install additional malware from a remote URL.

The researchers discovered that the trojanized BitTorrent client, detected by Windows Defender AV was Trojan:Win32/Modimer.A, which has 98% similarity to the original MediaGet binary.
Microsoft have made use of its behaviour monitoring and Artificial Intelligence-based machine learning techniques of the Windows Defender Antivirus to detect and block this massive malware campaign.

Technical Writer,  Blogger,

Leave your thought