While Microsoft’s Windows Defender might have an undeserved reputation as the antivirus suite no-one turns to in need, the Redmond company has now announced in a new blog post that the program has succeeded in defending against a major hack that fielded some 400,000 cryptojacking attempts in just twelve hours.
The company elaborated that Windows Defender’s research began detecting sophisticated trojan horse programs on March 6th, which are new strains of an application dubbed Smoke Loader (or Dofoil) that attempt to compromise vulnerable systems by injecting cryptocurrency mining malware.
Specifically, the company wrote that:
“Just before noon on March 6 (PST), Windows Defender Antivirus blocked more than 80,000 instances of several sophisticated trojans that exhibited advanced cross-process injection techniques, persistence mechanisms, and evasion methods. Behavior-based signals coupled with cloud-powered machine learning models uncovered this new wave of infection attempts. The trojans, which are new variants of Dofoil (also known as Smoke Loader), carry a coin miner payload. Within the next 12 hours, more than 400,000 instances were recorded, 73% of which were in Russia. Turkey accounted for 18% and Ukraine 4% of the global encounters.”
Dofoil, particularly, is notorious for running cryptojacking malware that mimics a legitimate Windows binary – however, Windows Defender was able to determine that the binary in question was placed incorrectly.
Microsoft has further noted that the mining scripts they examined had been set to mine Electronuem coins.
The malware attack, despite its ultimate prevention, is the latest in a string of cryptojacking offensives.
In February, more than half a million Windows servers – some 526,000, by estimates – had been hijacked by a cryptocurrency miner botnet dubbed Smominru that has been used to mine some 8,900 XMR.
The Smominru botnet leveraged a familiar weakness, making use of the US National Security Agency’s EternalBlue exploit that is perhaps most infamously remembered for its role in the WannaCry attacks in early 2017.
More recently, a malware worm – more accurately titled ADB.Miner – was found to have infected some 7,000 Android devices predominantly found in China and South Korea.
ADB.Miner was capable of scanning hardware running Google’s Android operating system, and can hijack any Android-based device’s CPU to mine Monero.
In January this year, Opera became the first major technology company to add cryptocurrency mining protection as a standard feature across all its mobile browsing platforms.
Research performed by Opera reveals that cryptojacking scripts are estimated to affect over one billion users around the world, while some three million websites are further predicted to have been exposed to malware.
Have your say!
What are your thoughts? What tools would you trust to disrupt cryptojacking malware? Be sure to let us know your opinion on Twitter – join the conversation @coininsidercom!