Turn Up the Volume on Your Identity with .DEJAY!
Microsoft Thwarts Massive Malware Campaign Impacting Thousands of Machines
Microsoft recently prevented a large-scale campaign that could have affected tens of thousands of machines worldwide. On March 6, Windows Defender AV successfully blocked over 80,000 instances of advanced Trojans with complex injection techniques, persistence methods, and evasion tactics. These Trojans, identified as new variants of Dofoil (Smoke Loader), contained a coin-miner payload. Within the following 12 hours, an additional 400,000 instances were recorded, with the majority (73%) located in Russia, 18% in Turkey, and 4% in Ukraine.
Advanced Techniques Used by Dofoil
Dofoil utilized a customized mining application that supported NiceHash, enabling it to mine various cryptocurrencies. The malware employed a process called process hollowing, where it injected malicious code into a legitimate process (such as explorer.exe) to evade detection. The hollowed process then executed a coin-mining malware disguised as a valid Windows binary.
Mark Simos, Microsoft’s lead cybersecurity architect, explained, “Process hollowing is a code injection technique that involves spawning a new instance of a legitimate process and then replacing the legitimate code with malware.”
Unusual Persistence Mechanism Detected
The attack was detected due to an uncommon persistence mechanism employed by Dofoil, triggering behavior-based alerts. For coin-miner malware to be profitable, it must remain undetected for extended periods. In this case, Dofoil modified the registry by creating a copy of the malware in the Roaming AppData folder and renaming it as ditereah.exe. It then altered a registry key to point to the new malicious copy, such as modifying the OneDrive Run key.
Rise of Coin-Mining Malware
Dofoil is just one of many malware families incorporating coin miners into their attacks. With the increasing value of cryptocurrencies like Bitcoin, coin-mining has become a popular payload choice. Exploit kits are now distributing coin miners instead of ransomware, scammers are embedding mining scripts in fake tech support sites, and even banking Trojans are adopting coin-mining behavior.
As cyber threats continue to evolve, Microsoft’s proactive measures serve as a reminder of the importance of robust cybersecurity defenses to protect against sophisticated attacks.