Microsoft Blocks Malicious Cryptocurrency Miner to Save 400,000 Users

A highly sophisticated new malware strain targeting Windows computers that attempted to infect nearly half a million machines has seen its demise.

Microsoft’s default built-in antivirus program has squashed a barrage of attacks launched by what it calls a “massive” cryptocurrency mining campaign dubbed Dofoil. The outbreak began on Monday around 3 PM Eastern Time, initially targeting some 80,000 computers with several variations of Dofoil malware. Once the payload is executed, the malware proceeds to download other malware components. In this scenario, the plan was to mine for cryptocurrency.

The “sophisticated” trojan malware exhibited “advanced cross-process injection techniques, persistence mechanisms and evasion methods,” Microsoft revealed. Within 12 hours, over 400,000 more instances were recoded with a massive majority (73%) of the outbreak based in Russia. Turkey figured for 18% while Ukraine saw 4% of the global attack.

Dofoil is just the latest malware family to incorporate cryptocurrency miners in attacks. “Because the value of Bitcoin and other cryptocurrencies continues to grow, malware operators see the opportunity to include coin mining components in their attacks,” Microsoft added.

Dofoil, specifically, uses a customized mining application where the miner supports NiceHash, enabling it to mine various cryptocurrencies. Microsoft said its default Windows Defender security program was able to detect infections “within milliseconds” thanks to its behavioral analysis functionality and its advanced, cloud-based machine learning tools. The software giant said it was able to analyze and include additional confirmation from detonation-based models before an anomaly detection alert notified security engineers of a potential new outbreak.

“Artificial intelligence and behavior-based detection in Windows Defender AV has become one of the mainstays of our defense system,” the research team wrote.

Microsoft added:

Windows 10, Windows 8.1, and Windows 7 users running Windows Defender AV or Microsoft Security Essentials are all protected from this latest outbreak.

Image credit: LIFARS archives.