Microsoft recently detected a rapidly spreading trojan that was intended to mine cryptocurrency using the infected PC’s CPU. The people behind the malware would use it to mine the Electroneum coin, given how it spread so quickly it would’ve brought a lot of money for the people behind the scenes.
Cryptocurrency mining has become very popular over the years, especially since the crypto boom in 2017. However, one needs to invest a lot of money into a mining PC in order to make a decent amount of money through mining. Some cryptocurrencies which are still relatively new are easier to mine and some can even be mined using regular PCs. With the recent malware outbreak and the news of another incident where $2 million worth of mining PCs were stolen, it seems that thieves are making the transition from hacking to mining.
What Happened?
The trojan, in this case, is known as Dofoil, or Smoke Loader. The malware drops a cryptocurrency mining software into your unsuspecting PC which then uses your computer’s CPU power to mine the Electroneum coin, which is fairly easy to mine given it’s a relatively new cryptocurrency. The mined tokens go to the people who deployed the trojan. Therefore, had the trojan spread any further, the people behind the virus could have made a lot of money.
The malware had spread in a matter of just a few hours. It was initially detected by Windows Defender, which at the time detected only 80,000 instances of the virus. However, in just 12 hours time, the number quickly grew to 400,000 and the malware had reached Russia, Turkey, and Ukraine. Had Microsoft not taken action, it could’ve easily multiplied into millions.
The trojan initially uses a process known as “process hollowing” on the PC’s ‘explorer.exe’ executable. What happens is that another copy of explorer.exe is made but the new copy contains the malware’s code i.e. the cryptocurrency mining tool.
“The hollowed explorer.exe process then spins up a second malicious instance, which drops and runs a coin-mining malware masquerading as a legitimate Windows binary, wuauclt.exe,” said Mark Simos, a cybersecurity architect at Microsoft.
Process hollowing is usually left undetected by many antiviruses and the malware is usually spread after downloading legitimate-looking software. Once the new explorer.exe is made with the malware’s code, Dofoil then modifies the Windows registry making your computer use the new instance of explorer.exe instead of the original one. Then from there, your PC is now infected and the attackers can make money through your computer’s CPU. Microsoft’s Mark Simos explains the process pretty well:
“The hollowed explorer.exe process creates a copy of the original malware in the Roaming AppData folder and renames it to ditereah.exe. It then creates a registry key or modifies an existing one to point to the newly created malware copy. In the sample we analyzed, the malware modified the OneDrive Run key.”
There have been many attacks related to cryptocurrency before but they were mostly online attacks on exchanges which resulted in large amounts being stolen. However, there are lots of risks involved with those attacks as compared to sneaking a trojan in someone’s computer. Trojans like Dofoil can easily slip past antiviruses and can be spread quite easily. Moreover, it’s not easy to catch the attackers and there’s also less risk of failure.
Even though Microsoft was able to stop the malware from spreading further, the trojan had spread to 400,000 PCs which could have mined at least some cryptocurrency for the attackers. This is why attackers are shifting to mining-related attacks now.
If this latest attack was a sign of things to come, then Microsoft must find ways to protect its Windows users from being manipulated since it’s really easy to get infected with a trojan without you ever finding out. Antivirus companies will have to step up their game as well in order to prevent future attacks.