On March 6, 2018, Microsoft encountered a rapidly spreading cryptocurrency-mining malware that attempted to infect over 500,000 computers within 12 hours. Windows Defender detected more than 80,000 instances and several variants of the malware dubbed Dofoil, aka Smoke Loader. These instances rapidly spread across Russia, Turkey, and Ukraine and were carrying a digital coin-mining payload, which masqueraded as a legitimate Windows binary in order to evade detection.
Microsoft has not released how these instances were delivered to such a massive audience in a short period of time, but was successful in blocking it to a large extent via AI-based machine learning techniques. It would seem something along the lines of spam email would be required to impact such a large audience, or possibly a drive-by-download on a popular website.
According to researchers, the Trojan uses an old code injection technique called ‘process hollowing’ that involves spawning a new instance of a legitimate process with a malicious one so that the second code runs instead of the original, tricking the process monitoring tools and AV into believing that the original process is still running.
This malware attempts to stay persistent on the infected machine by creating a copy of itself in the AppData>Roaming folder and renames it to ‘ditereah.exe’. It then creates a registry key or modifies an existing one to point to the newly created malware copy. The Trojan also makes a connection to a remote C&C server hosted on a decentralized Namecoin network where it listens for new commands, including the installation of additional malware.