Microsoft Saves 400,000 Windows Users From Cryptomining Malware
Microsoft, using its improved anti-malware software, has succeessfully managed to save about 400.000 Windows users from a massive cryptomining malware attack. The attack happened on March 6 and in just 12 hours the malware strain, which is highly sohphisticated, managed to infect nearly half a million systems. The initial plan was to target around 80,000 systems with variations of the Dofoil malware, which after infecting systems, tries to download additional malware components. As per Microsoft reports, the plan this time was to use the infected machines for cryptocurrency mining.
The impact of cryptocurrency mining, it’s to be noted, could be serious. It could affect the system’s processor in a very adverse manner. Forbes.com, discussing the malware attack, elaborates on the impact of cryptomining malware as well- “Cryptomining malware can be especially dangerous. That’s because “mining” cryptocurrencies like Bitcoin and Monero can be very hard on a computer’s processor. The extra work it’s forced to do by the mining malware creates a lot of excess heat. If pushed too hard for too long, the system’s processor could potentially fail. That may sound unbelievable, but it’s already happened to some infected Android devices.”
Coming back to the malware attack, a detailed post (dated March 7) on the Microsoft Secure blog explains how it happened- “Just before noon on March 6 (PST), Windows Defender Antivirus blocked more than 80,000 instances of several sophisticated trojans that exhibited advanced cross-process injection techniques, persistence mechanisms, and evasion methods. Behavior-based signals coupled with cloud-powered machine learning models uncovered this new wave of infection attempts. The trojans, which are new variants of Dofoil (also known as Smoke Loader), carry a coin miner payload. Within the next 12 hours, more than 400,000 instances were recorded, 73% of which were in Russia. Turkey accounted for 18% and Ukraine 4% of the global encounters.”
The Microsoft Secure blog post also details how the attack was tackled-
“Windows Defender AV initially flagged the attack’s unusual persistence mechanism through behavior monitoring, which immediately sent this behavior-based signal to our cloud protection service.
1. Within milliseconds, multiple metadata-based machine learning models in the cloud started blocking these threats at first sight.
2. Seconds later, our sample-based and detonation-based machine learning models also verified the malicious classification. Within minutes, detonation-based models chimed in and added additional confirmation.
3. Within minutes, an anomaly detection alert notified us about a new potential outbreak.
4. After analysis, our response team updated the classification name of this new surge of threats to the proper malware families. People affected by these infection attempts early in the campaign would have seen blocks under machine learning names like Fuery, Fuerboos, Cloxer, or Azden. Later blocks show as the proper family names, Dofoil or Coinminer.
Windows 10, Windows 8.1, and Windows 7 users running Windows Defender AV or Microsoft Security Essentials are all protected from this latest outbreak.”
Though the campaign targeted systems in Russia, Turkey and Ukraine, Windows Defender users everywhere are protected from the malware.
Julia Sowells960 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.