500,000 computers infected in 12 hours, mining Electroneum
A quickly spreading cryptojacking infection, geared to mine Electroneum, has been detected.
Just before noon on 6 March Microsoft picked up more than 80,000 instances of the same sophisticated trojan. In the next 12 hours, more than 400,000 other instances were recorded. 73% of it was in Russia, 18% in Turkey and 4% in Ukraine.
It turned out to be a new variant of a Dofoil or Smoke Loader trojan, equipped with a cryptocurrency mining payload. The coin miner is believed to use the NiceHash system which can be geared to mine a range of coins, but this particular attack was geared to mine Electroneum.
Microsoft said that it was a sophisticated piece of malware, designed to stay hidden for a long time by masquerading as a genuine Windows function. The malware is believed to have been installed through a trojan in MediaGet BitTorrent software, which spread so quickly.
Dofoil has a long history as a malware downloader, using a system called "process hollowing." This means it duplicates a suitable legitimate process, then hollows it out and replaces the contents with malicious code to remain undetected. This hollowed program then spawns the cryptocurrency mining program which also masquerades as a legitimate process.
From here it connected to a remote command and control server hosted on the decentralised Namecoin network. This server would then give the malware commands, including connecting or disconnecting from IP addresses, download a file and executing or terminating it, or sleeping for a period of time. Like most cryptojackers, it was engineered to stay hidden for as long as possible in order to extract as much value from its host computers.
Since Microsoft picked it up, it can now be detected by Windows 10, Windows 8.1 and Windows 7 users running Windows Defender AV or Microsoft Security Essentials, and probably other antivirus systems too.
This is just one of many sophisticated cryptojacking attacks discovered recently.
Disclosure: At the time of writing the author holds ETH, IOTA, ICX, VEN, XLM, SALT, BTC, NANO
- Ethereum price plummets as crypto industry’s combined market cap drops by 10% within hours
- Bitcoin price dips below key level as Russia prepares for a blanket crypto ban
- Retroactive airdrop farming: How to prepare yourself for 2022
- Ethereum price continues downward spiral while a major competitor posts gains of 50%
- Bitcoin’s price stagnation a cause for concern as key indicators continue to dip