Windows 10: Microsoft (Telemetry) Foils Massive Coin-mining Exploit Attempt

  1.    09 Mar 2018 #1

    Microsoft (Telemetry) Foils Massive Coin-mining Exploit Attempt


    At this week's MVP conference Microsoft presented many terrific use cases to justify or explain the value of telemetry data, particularly from a security standpoint. This news story captures one so immediate that our security presenter hadn't even heard it yet: Massive Coin-Mining Attempt Targets Nearly Half a Million PCs - Infosecurity Magazine


    Massive Coin-Mining Attempt Targets Nearly Half a Million PCs

    Tara Seals (US/North America News Reporter, Infosecurity Magazine)

    Microsoft has averted a massive and widespread campaign that would have seen tens of thousands of machines impacted.

    The software giant reported that on March 6, "Windows Defender AV blocked more than 80,000 instances of several sophisticated Trojans that exhibited advanced cross-process injection techniques, persistence mechanisms and evasion methods." The Trojans, which are new variants of Dofoil (also known as Smoke Loader), carry a coin-miner payload.

    "Within the next 12 hours, more than 400,000 new instances were recorded, 73% of which were in Russia. Turkey accounted for 18% and Ukraine 4%," Microsoft stated.Dofoil uses a customized mining application that supports a function called NiceHash, which means it can mine different cryptocurrencies.

    The samples Microsoft analyzed mined Electroneum coins. It burrowed into systems using a process called process hollowing.“Process hollowing is a code injection technique that involves spawning a new instance of legitimate process...and then replacing the legitimate code with malware,” explained Mark Simos, lead cybersecurity architect for Microsoft’s enterprise cybersecurity group in a blog. “The hollowed explorer.exe process then spins up a second malicious instance, which drops and runs a coin mining malware masquerading as a legitimate Windows binary.”

    The attack was picked up on thanks to its use of an unusual persistence mechanism, which triggered behavior-based alerts. For coin-miner malware, it’s required to stay undetected for long periods in order to mine enough coins to make the attack worth its while.

    In this case, Dofoil modifies the registry.“The hollowed explorer.exe process creates a copy of the original malware in the Roaming AppData folder and renames it to ditereah.exe,” Simos said. “It then creates a registry key or modifies an existing one to point to the newly created malware copy. In the sample we analyzed, the malware modified the OneDrive Run key.”

    ....
      My ComputersSystem Spec

  2.    09 Mar 2018 #1

    That's cool!
      My ComputersSystem Spec


  3. Posts : 1,740
    W7 Ultimate SP1 (64 bit), LM 18.3 MATE (64 bit), W10 Home 1703 (64 bit), W10 Pro 1703 (64 bit) VM
       09 Mar 2018 #2

    How does Telemetry fit into this?

    The description says it was blocked by Defender ("triggered behavior-based alerts").
    It doesn't say:
    • Telemetry reported unusual PC activity to MS
    • MS analysed the Telemetry
    • MS sent out a Defender update to stop the "coin miner"


    That said, if Telemetry actually did something useful it deserves credit. :)

    Telemetry certainly isn't fixing Windows Update issues though.
      My ComputerSystem Spec


  4. Posts : 7,590
    10 Home x64 (1803) (10 Pro on 2nd pc)
       09 Mar 2018 #3

    lehnerus2000 said: View Post
    How does Telemetry fit into this?
    Like this...

    Microsoft said:
    Windows Defender AV initially flagged the attack’s unusual persistence mechanism through behavior monitoring, which immediately sent this behavior-based signal to our cloud protection service.
    1. Within milliseconds, multiple metadata-based machine learning models in the cloud started blocking these threats at first sight...
    https://cloudblogs.microsoft.com/mic...ning-campaign/

    Block at First Sight requires telemetry in Defender to be turned on.
    The feature is automatically enabled, as long as Cloud-based protection and Automatic sample submission are both turned on.
    Enable Windows Defender Block at First Sight in Windows 10
      My ComputersSystem Spec

  5.    10 Mar 2018 #4

    Thanks, Bree: owing to the time difference, I was sleeping when Lehnerus's excellent query came through. I appreciate you stepping up to cover for me. And indeed Lehnerus, Bree was spot on in his citation to back up the information I presented. But thanks for asking anyway: one can never be too clear or explicit about such things.
    Best wishes,
    --Ed--
      My ComputersSystem Spec


  6. Posts : 7,590
    10 Home x64 (1803) (10 Pro on 2nd pc)
       10 Mar 2018 #5

    EdTittel said: View Post
    Thanks, Bree: owing to the time difference, I was sleeping when Lehnerus's excellent query came through.
    TBH, it was past my bedtime too :) The article skipped over some details, but it did cite the blog I linked to which explained it in full.
      My ComputersSystem Spec


  7. Posts : 1,740
    W7 Ultimate SP1 (64 bit), LM 18.3 MATE (64 bit), W10 Home 1703 (64 bit), W10 Pro 1703 (64 bit) VM
       10 Mar 2018 #6

    Microsoft said:
    Windows Defender AV initially flagged the attack’s unusual persistence mechanism through behavior monitoring, which immediately sent this behavior-based signal to our cloud protection service.

    1. Within milliseconds, multiple metadata-based machine learning models in the cloud started blocking these threats at first sight...

    Thanks Bree. :)

    It's a pity the Tara Seals only included the bit , "triggered behavior-based alerts" and not the relevant bit that you posted.

    I thought that "behavior-based alerts" sounded like heuristics, which most (if not all) AV programs claim to include.

    It seems that Telemetry deserves kudos in this case. :)
      My ComputerSystem Spec


  8. Posts : 7,590
    10 Home x64 (1803) (10 Pro on 2nd pc)
       10 Mar 2018 #7

    lehnerus2000 said: View Post
    Thanks Bree. :)
    It's a pity the Tara Seals only included the bit , "triggered behavior-based alerts" and not the relevant bit that you posted.
    She did at least include a link to the blog, which is where I got the details.
      My ComputersSystem Spec


  9. Posts : 749
    macOS High Sierra
       10 Mar 2018 #8

    Great find - thanks Ed.
      My ComputersSystem Spec


 

Related Threads
I will be working on this tutorial by demonstrating through scripts for Windows 10 Professional edition how to remove tracking and monitoring, how each of the components monitor and what they monitor. Microsoft does not explain these components to...
Does Malware Anti Exploit work with Microsoft Edge? in AntiVirus, Firewalls and System Security
Title says it all. Malwarebytes web site does not mention Edge? 103743 I have done research and it seems MBAE may function with Edge. Can somebody confirm either way?
I guess this is not a new question and apologise in advance if I am repeating it but I failed to unearth anything helpful through Search: I upgraded my laptop to Windows 10 one month ago. Reliability Monitor, which I run every day, has advised me...
Read more: Windows 10 telemetry secrets: Where, when, and why Microsoft collects your data | ZDNet
As per Gordon Kelly,Microsoft has decided to allow users to completely disable telemetry in a future update (later this year) as I see it,this is pretty big news! will Microsoft stick to their word? time will tell......

Tags for this Thread

Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 01:23.
Find Us