A new cryptocurrency mining malware has been discovered by Microsoft that has infected nearly half a million computers within the first 12 hours of its execution. Going by the name Dofoil or Smoke Loader, the malware which has now been mostly blocked, was downloading malware in order to mine Electroneum coins on Windows-enabled machines.
Microsoft Windows Defender detected several variants and over 80,000 instances of Dofoil. Within the next 12 hours, there were over 400,000 new instances spreading across Russia, Turkey, and Ukraine, though Microsoft has yet to release how it spread so quickly in such a short period of time.
The Dofoil Trojan works by tricking process monitors and anti-virus programs by running a legitimate process at the same time as a malicious one so that the malware code runs instead of the original in a technique called process hollowing. Additionally, it was able to stay hidden within a system by modifying the Windows registry and creating a copy of the malware in the roaming appdata folder, then creating or modifying a registry key to point to the new copy.
According to Microsoft, the attack has largely been shut down and was detected in part by Windows Defender Antivirus’s behavior monitoring and artificial intelligence-based machine learning techniques.