Microsoft Blocked More Than 400,000 Malicious Cryptojacking Attempts In One Day

Published at: March 10, 2018

Microsoft’s Windows Defender Antivirus has blocked an attack of more than 400,000 attempts over a span of 12 hours for trojans to infect users with a cryptocurrency miner, according to a Microsoft blog post on March 7.

Windows Defender’s research showed that a little before noon (PST) on March 6, Windows Defender Antivirus began detecting these sophisticated trojans, which are new variants of an application called Dofoil (or Smoke Loader), attempting to inject cryptocurrency mining malwares through “advanced cross-process injection techniques, persistence mechanisms, and evasion methods.”

The majority, or 73 percent, of these instances came from Russia, with 18 percent from Turkey and 4 percent from Ukraine.

Even though Dofoil uses a code injection technique that runs crypto mining malware disguised as a legitimate Windows binary, Windows Defender Antivirus behavior monitoring flagged trojan injections as threats because the network traffic from this binary, wuauclt.exe, is suspicious as well as running from the wrong location.

Dofoil, which Microsoft describes as the “latest malware family to incorporate coin miners in attacks,” used the NiceHash crypto cloud mining marketplace that supports a variety of cryptocurrencies. Microsoft notes that the samples they inspected mined Electroneum coins.

Cryptojacking has become more prevalent recently, with more than 55 percent of businesses worldwide affected by crypto mining attacks as of January 2018.

In mid-February, a malicious crypto mining script was injected into software for helping blind and partially-sighted people go online, affecting more than 5000 websites, including those of the UK government. Earlier in February, a malware for mining Monero was discovered to have infiltrated around 7000 Android devices mainly in China and South Korea.

Tags
Related Posts
Researchers Discover New Cryptocurrency-Focused Trojan
Computer analysts at cybersecurity firm Zscaler ThreatLabZ have found a new type of trojan that targets cryptocurrency users. In a blog post published on Aug. 8, the company reveals that it identified a new remote-access trojan (RAT) that is able to capture administrative control of the targeted computer, retrieve browser history and look for activities involving cryptocurrency, credit cards, business, social media and others. The malware is called Saefko and is written in .NET, a software framework developed by Microsoft and used to develop a wide range of applications. The post further explains: “RATs are usually downloaded as a result …
Cryptocurrencies / Aug. 9, 2019
15 Arrested in China for Allegedly Bribing Internet Cafe to Mine Crypto
Chinese authorities arrested fifteen men suspected of corrupting an internet café administrator to mine cryptocurrency. Local crypto industry news outlet 8BTC reported on Sept. 3 that police in Henyang, a city in south central China’s Hunan province, arrested the man for cryptojacking. Over 9,000 computer administrators were reportedly involved in helping the unauthorized mining operation. A profitable endeavor The cryptocurrency mined by the suspects in the four months ending in July has been sold for over a hundred million yuan (about $14 million). Local police received a report suggesting that many local Internet cafes were running cryptojacking malware. The findings …
China / Sept. 4, 2019
New Crypto Mining Malware Beapy Uses Leaked NSA Hacking Tools: Symantec Research
American software security firm Symantec found a spike in a new crypto mining malware that mainly targets enterprises, TechCrunch reports on April 25. The new cryptojacking malware, dubbed Beapy, uses the leaked United States National Security Agency (NSA) hacking tools to spread throughout corporate networks to generate big sums of money from a large amount of computers, the report notes. First spotted in January 2019, Beapy reportedly surged to over 12,000 unique infection across 732 organizations since March, with more than 80% of infections located in China. As found by researchers, Beapy malware is reportedly spread through malicious emails. Once …
United States / April 25, 2019
Fake MetaMask Crypto Malware Pulled From Google Play After Tipoff
Decentralized app (DApp) MetaMask is facing fresh problems from cryptocurrency scammers after malware impersonating the tool appeared on Google Play, cybersecurity company Eset reported on Feb. 8. The malware, which replaces computer clipboard information in an attempt to steal cryptocurrency, was removed by Google at the beginning of the month after a tipoff from Eset researchers. Known as a “Clipper,” the malware replaces copied cryptocurrency wallet addresses with an address belonging to an attacker in the hope that funds will be sent elsewhere without the user noticing. The discovery marked the first time such malware had made it past Google’s …
Ethereum / Feb. 11, 2019
New Crypto-Stealing Malware Infected 80,000 Computers, Microsoft Says
The Microsoft Defender ATP research team shares insights on a new cryptocurrency-stealing malware variant that has infected close to 80,000 computers. On Nov. 26, Microsoft security analysts revealed that the malware, called Dexphot, had already infected close to 80,000 devices since October 2018, reaching its peak in the month of June of this year. The malicious code reportedly hijacks legitimate system processes to disguise its nefarious activity, with the ultimate goal of running a cryptocurrency miner on the infected device. When infected users attempt to remove the malware, monitoring services and scheduled tasks will trigger re-infection. The report reads: “Dexphot …
Bitcoin / Nov. 26, 2019