Microsoft Thwarts Massive Electroneum Mining Malware Campaign

Microsoft Thwarts Massive Electroneum Mining Malware Campaign

Microsoft’s Windows Defender reportedly managed to prevent a massive Electroneum (ETN) mining campaign from spreading, according to the IT giant. Per the company’s Windows Defender team, the campaign attempted to infect a whopping 400,000 computers during a 12-hour period.

The Redmond-based company revealed that the campaign tried to infect its victims with a variant of Dofoil – known as Smoke Leader -a trojan that downloads malware onto victims’ machines.

Microsoft’s post reads:

“Within the next 12 hours, more than 400,000 instances were recorded, 73% of which were in Russia. Turkey accounted for 18% and Ukraine 4% of the global encounters.”

The company claims it managed to immediately discover the attack thanks to its behavior-based, cloud-powered machine learning models. These, per Microsoft, almost immediately picked up the malware, classified it as a threat, and within minutes started blocking it.

The cryptocurrency miner the attack attempted to get on victim’s computers reportedly supports NiceHash, meaning it could mine different cryptocurrencies. In this case, the mining malware mined Electroneum.

How the Electroneum mining attack worked

Reports suggest the Dofoil variant attempted to inject malicious code into a legitimate OS process dubbed explorer.exe. One the malicious code was injected, the malware downloader would proceed to download the cryptocurrency miner, named “coinminer.”

Coinminer itself was masquerading as a Windows binary to avoid raising suspicions. Microsoft’s Windows Defender picked up on it because although it looked legitimate, it was running from the wrong disk location.

Moreover, the miner was generating suspicious traffic, as it was attempting to contact its command and control (C&C) server. The C&C server was located on the decentralized Namecoin network infrastructure, which is known for having other malware families stored in its .bit domains.

Windows 10, Windows 8.1, and Windows 7 users running Windows Defender are protected against these types of attacks, Microsoft’s post reads. As recently reported, a researcher found nearly 50,000 websites running cryptocurrency mining malware. Users who wish to protect against these will have to use specific software, or browsers like Opera and Brave.

This attack is presumably related to the ongoing cryptojacking trend has seen criminals normally attempt to mine Monero (XMR). The trend has made various high-profile victims, including Tesla, which saw its cloud get hacked and used to mine.

As previously covered by Ethereum World News, hackers are even stuffing Monero ransom notes inside distributed denial of service (DDoS) attacks to get their victims to pay them to stop.

09.03.2018 / 09:59 125
Researcher Finds Nearly 50,000 Websites Running Cryptocurrency Mining Malware Researcher Finds Nearly 50,000 Websites
Troy Mursch from Bad Packets Report recently conducted an investigation, in which he found that the ongoing cryptojacking trend has infected nearly
Domains Running Cryptocurrency Mining Scripts Surge 725 Percent Domains Running Cryptocurrency Mining
The number of domains with cryptocurrency mining scripts installed has skyrocketed 725 percent in four months, according to a security firm’s
Miners, Botnets, and Monero Create Perfect Storm for Cryptomining Miners, Botnets, and Monero Create
Several things have come together in a perfect storm to create the most recent crypto-crime trend: the ability to surreptitiously install illicit
PR: Electroneum Launches Groundbreaking Mobile Miner PR: Electroneum Launches Groundbreaking
This is a paid press release, which contains forward looking statements, and should be treated as advertising or promotional material. Bitcoin.com
How Hacked Widgets Help Criminals Mine Monero How Hacked Widgets Help Criminals Mine
Covert cryptocurrency mining is shaping up to be the new mainstay of cybercrime. Crooks hack servers, personal computers, and mobile devices and take
Comments (0)
Add a comment
Comment on