500,000 computers infected in 12 hours, mining Electroneum

Posted: 9 March 2018 1:12 pm

A quickly spreading cryptojacking infection, geared to mine Electroneum, has been detected.

Just before noon on 6 March Microsoft picked up more than 80,000 instances of the same sophisticated trojan. In the next 12 hours, more than 400,000 other instances were recorded. 73% of it was in Russia, 18% in Turkey and 4% in Ukraine.

It turned out to be a new variant of a Dofoil or Smoke Loader trojan, equipped with a cryptocurrency mining payload. The coin miner is believed to use the NiceHash system which can be geared to mine a range of coins, but this particular attack was geared to mine Electroneum.

Microsoft said that it was a sophisticated piece of malware, designed to stay hidden for a long time by masquerading as a genuine Windows function. The malware is believed to have been installed through a trojan in MediaGet BitTorrent software, which spread so quickly.

Dofoil has a long history as a malware downloader, using a system called "process hollowing." This means it duplicates a suitable legitimate process, then hollows it out and replaces the contents with malicious code to remain undetected. This hollowed program then spawns the cryptocurrency mining program which also masquerades as a legitimate process.

From here it connected to a remote command and control server hosted on the decentralised Namecoin network. This server would then give the malware commands, including connecting or disconnecting from IP addresses, download a file and executing or terminating it, or sleeping for a period of time. Like most cryptojackers, it was engineered to stay hidden for as long as possible in order to extract as much value from its host computers.

Since Microsoft picked it up, it can now be detected by Windows 10, Windows 8.1 and Windows 7 users running Windows Defender AV or Microsoft Security Essentials, and probably other antivirus systems too.

This is just one of many sophisticated cryptojacking attacks discovered recently.

Cryptojacking 101: What is it and how does it work?

Disclosure: At the time of writing the author holds ETH, IOTA, ICX, VEN, XLM, SALT, BTC, NANO

Disclaimer: This information should not be interpreted as an endorsement of cryptocurrency or any specific provider, service or offering. It is not a recommendation to trade. Cryptocurrencies are speculative, complex and involve significant risks – they are highly volatile and sensitive to secondary activity. Performance is unpredictable and past performance is no guarantee of future performance. Consider your own circumstances, and obtain your own advice, before relying on this information. You should also verify the nature of any product or service (including its legal status and relevant regulatory requirements) and consult the relevant Regulators' websites before making any decision. Finder, or the author, may have holdings in the cryptocurrencies discussed.

Latest cryptocurrency news

Picture: Shutterstock

Get into cryptocurrency

Ask an Expert

You are about to post a question on finder.com.au:

  • Do not enter personal information (eg. surname, phone number, bank details) as your question will be made public
  • finder.com.au is a financial comparison and information service, not a bank or product provider
  • We cannot provide you with personal advice or recommendations
  • Your answer might already be waiting – check previous questions below to see if yours has already been asked

Finder only provides general advice and factual information, so consider your own circumstances, or seek advice before you decide to act on our content. By submitting a question, you're accepting our Terms of Use, Disclaimer & Privacy Policy and Privacy & Cookies Policy.
Go to site