New
#1
That's cool!
Massive Coin-Mining Attempt Targets Nearly Half a Million PCs - Infosecurity MagazineAt this week's MVP conference Microsoft presented many terrific use cases to justify or explain the value of telemetry data, particularly from a security standpoint. This news story captures one so immediate that our security presenter hadn't even heard it yet:
Massive Coin-Mining Attempt Targets Nearly Half a Million PCs
Tara Seals (US/North America News Reporter, Infosecurity Magazine)
Microsoft has averted a massive and widespread campaign that would have seen tens of thousands of machines impacted.
The software giant reported that on March 6, "Windows Defender AV blocked more than 80,000 instances of several sophisticated Trojans that exhibited advanced cross-process injection techniques, persistence mechanisms and evasion methods." The Trojans, which are new variants of Dofoil (also known as Smoke Loader), carry a coin-miner payload.
"Within the next 12 hours, more than 400,000 new instances were recorded, 73% of which were in Russia. Turkey accounted for 18% and Ukraine 4%," Microsoft stated.Dofoil uses a customized mining application that supports a function called NiceHash, which means it can mine different cryptocurrencies.
The samples Microsoft analyzed mined Electroneum coins. It burrowed into systems using a process called process hollowing.“Process hollowing is a code injection technique that involves spawning a new instance of legitimate process...and then replacing the legitimate code with malware,” explained Mark Simos, lead cybersecurity architect for Microsoft’s enterprise cybersecurity group in a blog. “The hollowed explorer.exe process then spins up a second malicious instance, which drops and runs a coin mining malware masquerading as a legitimate Windows binary.”
The attack was picked up on thanks to its use of an unusual persistence mechanism, which triggered behavior-based alerts. For coin-miner malware, it’s required to stay undetected for long periods in order to mine enough coins to make the attack worth its while.
In this case, Dofoil modifies the registry.“The hollowed explorer.exe process creates a copy of the original malware in the Roaming AppData folder and renames it to ditereah.exe,” Simos said. “It then creates a registry key or modifies an existing one to point to the newly created malware copy. In the sample we analyzed, the malware modified the OneDrive Run key.”
....
How does Telemetry fit into this?
The description says it was blocked by Defender ("triggered behavior-based alerts").
It doesn't say:
- Telemetry reported unusual PC activity to MS
- MS analysed the Telemetry
- MS sent out a Defender update to stop the "coin miner"
That said, if Telemetry actually did something useful it deserves credit. :)
Telemetry certainly isn't fixing Windows Update issues though.
Like this...
https://cloudblogs.microsoft.com/mic...ning-campaign/Microsoft said:
Block at First Sight requires telemetry in Defender to be turned on.
https://www.tenforums.com/tutorials/...a.html#option1The feature is automatically enabled, as long as Cloud-based protection and Automatic sample submission are both turned on.
Thanks, Bree: owing to the time difference, I was sleeping when Lehnerus's excellent query came through. I appreciate you stepping up to cover for me. And indeed Lehnerus, Bree was spot on in his citation to back up the information I presented. But thanks for asking anyway: one can never be too clear or explicit about such things.
Best wishes,
--Ed--
Thanks Bree. :)Microsoft said:
It's a pity the Tara Seals only included the bit , "triggered behavior-based alerts" and not the relevant bit that you posted.
I thought that "behavior-based alerts" sounded like heuristics, which most (if not all) AV programs claim to include.
It seems that Telemetry deserves kudos in this case. :)