Connect with us

Hi, what are you looking for?


Malware & Threats

Microsoft Detects Massive Dofoil Attack

[UPDATE] Mid-day Tuesday (PST), Microsoft’s Windows Defender blocked more than 80,000 instances of several new variants of the Dofoil (aka Smoke Loader) downloader. The signatureless machine learning capabilities of Defender detected anomalous behavior, and within minutes had protected Windows 10, 8.1 and 7 users from the outbreak. 

[UPDATE] Mid-day Tuesday (PST), Microsoft’s Windows Defender blocked more than 80,000 instances of several new variants of the Dofoil (aka Smoke Loader) downloader. The signatureless machine learning capabilities of Defender detected anomalous behavior, and within minutes had protected Windows 10, 8.1 and 7 users from the outbreak. 

Over the next 12 hours, more than 400,000 instances of this malware were recorded — 73% of them in Russia, 18% in Turkey, and 4% in Ukraine.

Microsoft describes how the Dofoil downloader works, and how it was detected. Noticeably, it does not explain how the computers were compromised in the first place. The malware performs process hollowing, which involves spawning a new instance of a legitimate process — in this case, explorer.exe — and replacing the good code with malware. The hollowed explorer.exe then spins a second instance which drops and runs coin mining malware masquerading as the legitimate binary, wuauclt.exe.

Defender detected the issue, writes Microsoft, since, “Even though it uses the name of a legitimate Windows binary, it’s running from the wrong location. The command line is anomalous compared to the legitimate binary. Additionally, the network traffic from this binary is suspicious.”

The downloader communicates with a C&C server, vinik.bit, inside the Namecoin distributed framework. Doctor Web researchers described Namecoin as, “a system of alternative root DNS servers based on Bitcoin technology.” Namecoin describes itself as a key/value pair registration and transfer system based on Bitcoin technology. “Bitcoin frees money — Namecoin frees DNS, identities, and other technologies.”

Fittingly, what Dofoil downloads is a cryptominer that supports NiceHash; allowing it to mine different cryptocurrencies. “The samples we analyzed mined Electroneum coins,” writes Microsoft.

Electroneum is an interesting choice when most malware miners seem to go for Bitcoin and increasingly Monero. The criminals will always, however, go after maximum profit from minimum effort. On Monday this week, one day before the Dofoil outbreak, Jason Evangelho wrote in Forbes, “I’m enthusiastic about Electroneum and I’ve been diverting my mining rigs from Nicehash or Ethereum to this one because I believe it will explode in popularity by the end of 2018.” This may be precisely the same reasoning as the criminals.

Advertisement. Scroll to continue reading.

Natural price growth in any currency will likely be boosted by the number of operational miners. In a report titled Monero Mining Malware (PDF) published today, NTT researchers suggest that there is a symbiotic relationship between legal and malware-driven mining, with both processes driving the increase in value. 

The decision to used Dofoil to drop Electroneum mining malware may be jointly driven by the apparent potential growth in the currency bolstered by a massive campaign trying to infect nearly half a million PCs specifically to drive up the value.

“As demonstrated,” writes Microsoft, “Windows Defender Advanced Threat Protection (Windows Defender ATP) flags malicious behaviors related to installation, code injection, persistence mechanisms, and coin mining activities. Security operations can use the rich detection libraries in Windows Defender ATP to detect and respond to anomalous activities in the network.”

This is true as far as it goes; but not everyone believes it goes far enough. All such reports are fundamentally marketing documents and will inevitably portray the company concerned in the best light possible. “The way I read it,” comments ESET Senior Research Fellow David Harley, “Windows Defender did a good job of detecting this particular campaign, and deserve credit for it. As does any company that offers prompt/proactive detection of a sophisticated campaign, and there are several that do.”

F-Secure security advisor Sean Sullivan agrees that many anti-malware products would have had a similar success in stopping the campaign. “Other antivirus products would also block this campaign,” he told SecurityWeek. “Some of the details may differ, but the result would be similar.”

Luis Corrons, technical director at PandaLabs, is more reserved. “If you read [the report] carefully, you see they have no clue on how the threat compromised those computers,” he told SecurityWeek. “So, we are talking about an ‘outbreak’ (their own words) infecting thousands of computers protected by Microsoft.”

Corrons’ concern is that relying solely on behavioral patterns will only detect the malware after it has already infected the computer. This is true in this case since the downloaded malware, disguised as wuauclt.exe was detected because it was in the wrong location. “After being compromised they were able to detect it — which is great, but it would have been better if they could have stopped the infection in the first place. The problem is,” he continued, “that if they really have no idea of how the attack compromised those computers, the same attack could work against all Microsoft AV users leaving them just with the hope that their ‘great’ machine learning technology is able to detect it (once they have been infected).”

This last is an interesting comment, since reliance on machine learning algorithms can only be as effective as the algorithms and the data from which they learn. Almost two years ago there was a huge argument between the original anti-virus industry and the evolving ‘next-gen’ machine learning endpoint protection systems — with the former accusing the latter of frequently ‘stealing’ their malware intelligence via VirusTotal.

One of the figures in the Microsoft report depicts the ‘alert process tree’ used to determine the presence of the malware. Noticeably, this includes a VirusTotal hash with the comment, “VirusTotal detection ratio 38/67.” Since more than half of the anti-malware engines supported by VirusTotal already classify the file as malware, it is a fair assumption that it really is malware. 

A cynic might then wonder just how much of the ‘Big Data Analytics’ underpinning Defender’s machine learning algorithms actually depends upon the opinions of other anti-malware researchers as displayed by VirusTotal.

[UPDATE 03/09/18] Microsoft has clarified that the report illustration labeled “Windows Defender ATP alert process tree…” is not part Defender’s decision process, but a graphic generated after the event for the benefit of sysadmins. The referral to VirusTotal, showing that 38 anti-malware engines detected the file as malicious, was not
made until 11 hours after Defender also concluded it was malware. 

Microsoft has also promised to share details of the campaign’s distribution methodology ‘soon’, saying “we have seen correlation with certain file sharing and internet download programs.”

Related: Windows Defender ATP Detects Spyware Used by Law Enforcement: Microsoft 

Related: “Illusion Gap” Attack Bypasses Windows Defender 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.