A huge campaign distributing the Dofoil Trojan has been discovered by Microsoft. The campaign has already witnessed almost half a million PCs infected with the malware in less than 12 hours. The Dofoil Trojan is otherwise referred to as Smoke Loader – an installer that has been in operation for many years.
The Dofoil Trojan is a small application which once downloaded to a PC is capable of downloading other forms of malware. The Dofoil Trojan has been used in many campaigns since at least 2011 to download malware, with the latest campaign used to install cryptocurrency mining malware.
This was first noticed on March 6 when Windows Defender discovered almost 80,000 instances of the Trojan on PCs with the number rising rapidly to more than 400,000 in the next 12 hours. Several strains of the Dofoil Trojan were being used in the campaign which was mostly focusing on devices in Russia, Ukraine, and Turkey.
The cryptocurrency mining malware is being deployed to mine Electroneum coins on infected devices, although the malware can mine other cryptocurrencies.
Spotting the malware can be tricky as it uses process hollowing to create a new instance of an authentic Windows process for malicious purposes. In this case the malware is masked as a Windows binary file to avoid detection – wuauclt.exe. Explorer.exe is used to establish a copy of the malware in the Roaming AppData folder which is relabelled as ditereah.exe. The Windows registry is also altered to ensure persistence, changing an existing entry to point to the malware copy. The malware communicates with its C2 server and is also capable of downloading additional malware variants onto an infected device.
While Microsoft was able to spot infections, what is not known at this stage is how the malware was downloaded on so many devices in such as short space of time. While the malware could possibly have been shared using spam email, another means of distribution is suspected. Microsoft notes that in many cases the malware is believed to have been spread using torrent files, which are used in P2P file sharing, often to obtain pirated movies, music, and software.
Microsoft has only made known the number of infections it has detected using Windows Defender. The company does not have visibility into devices that do not have the anti-malware software downloaded. The overall number of infections is therefore likely to be much more. The 400,000+ infections are likely to be just the start of it.
Microsoft notes that its attempts to disrupt the operation did not just prevent devices from mining cryptocurrencies. Infection with the Dofoil Trojan allows the hackers to install any number of extra malicious payloads including more dangerous malware variants and ransomware.
