Microsoft (Telemetry) Foils Massive Coin-mining Exploit Attempt

    Microsoft (Telemetry) Foils Massive Coin-mining Exploit Attempt

    Microsoft (Telemetry) Foils Massive Coin-mining Exploit Attempt


    Posted: 09 Mar 2018

    At this week's MVP conference Microsoft presented many terrific use cases to justify or explain the value of telemetry data, particularly from a security standpoint. This news story captures one so immediate that our security presenter hadn't even heard it yet: Massive Coin-Mining Attempt Targets Nearly Half a Million PCs - Infosecurity Magazine


    Massive Coin-Mining Attempt Targets Nearly Half a Million PCs

    Tara Seals (US/North America News Reporter, Infosecurity Magazine)

    Microsoft has averted a massive and widespread campaign that would have seen tens of thousands of machines impacted.

    The software giant reported that on March 6, "Windows Defender AV blocked more than 80,000 instances of several sophisticated Trojans that exhibited advanced cross-process injection techniques, persistence mechanisms and evasion methods." The Trojans, which are new variants of Dofoil (also known as Smoke Loader), carry a coin-miner payload.

    "Within the next 12 hours, more than 400,000 new instances were recorded, 73% of which were in Russia. Turkey accounted for 18% and Ukraine 4%," Microsoft stated.Dofoil uses a customized mining application that supports a function called NiceHash, which means it can mine different cryptocurrencies.

    The samples Microsoft analyzed mined Electroneum coins. It burrowed into systems using a process called process hollowing.“Process hollowing is a code injection technique that involves spawning a new instance of legitimate process...and then replacing the legitimate code with malware,” explained Mark Simos, lead cybersecurity architect for Microsoft’s enterprise cybersecurity group in a blog. “The hollowed explorer.exe process then spins up a second malicious instance, which drops and runs a coin mining malware masquerading as a legitimate Windows binary.”

    The attack was picked up on thanks to its use of an unusual persistence mechanism, which triggered behavior-based alerts. For coin-miner malware, it’s required to stay undetected for long periods in order to mine enough coins to make the attack worth its while.

    In this case, Dofoil modifies the registry.“The hollowed explorer.exe process creates a copy of the original malware in the Roaming AppData folder and renames it to ditereah.exe,” Simos said. “It then creates a registry key or modifies an existing one to point to the newly created malware copy. In the sample we analyzed, the malware modified the OneDrive Run key.”

    ....
    EdTittel's Avatar Posted By: EdTittel
    09 Mar 2018


  1. swarfega
    Posts : 7,254
    Windows 10 Pro 64-bit
       New #1

    That's cool!
      My Computers
    Quote Quote

  3. lehnerus2000
    Posts : 1,811
    W7 Ultimate SP1 (64 bit), LM 19.2 MATE (64 bit), W10 Home 1703 (64 bit), W10 Pro 1703 (64 bit) VM
       New #2

    How does Telemetry fit into this?

    The description says it was blocked by Defender ("triggered behavior-based alerts").
    It doesn't say:
    • Telemetry reported unusual PC activity to MS
    • MS analysed the Telemetry
    • MS sent out a Defender update to stop the "coin miner"


    That said, if Telemetry actually did something useful it deserves credit. :)

    Telemetry certainly isn't fixing Windows Update issues though.
      My Computer
    Quote Quote

  4. Bree
    Posts : 31,594
    10 Home x64 (22H2) (10 Pro on 2nd pc)
       New #3

    lehnerus2000 said:
    How does Telemetry fit into this?
    Like this...

    Microsoft said:
    Windows Defender AV initially flagged the attack’s unusual persistence mechanism through behavior monitoring, which immediately sent this behavior-based signal to our cloud protection service.
    1. Within milliseconds, multiple metadata-based machine learning models in the cloud started blocking these threats at first sight...
    https://cloudblogs.microsoft.com/mic...ning-campaign/

    Block at First Sight requires telemetry in Defender to be turned on.
    The feature is automatically enabled, as long as Cloud-based protection and Automatic sample submission are both turned on.
    https://www.tenforums.com/tutorials/...a.html#option1
      My Computers
    Quote Quote

  6. EdTittel
    Posts : 4,224
    Windows 10
    Thread Starter
       New #4

    Thanks, Bree: owing to the time difference, I was sleeping when Lehnerus's excellent query came through. I appreciate you stepping up to cover for me. And indeed Lehnerus, Bree was spot on in his citation to back up the information I presented. But thanks for asking anyway: one can never be too clear or explicit about such things.
    Best wishes,
    --Ed--
      My Computers
    Quote Quote

  7. Bree
    Posts : 31,594
    10 Home x64 (22H2) (10 Pro on 2nd pc)
       New #5

    EdTittel said:
    Thanks, Bree: owing to the time difference, I was sleeping when Lehnerus's excellent query came through.
    TBH, it was past my bedtime too :) The article skipped over some details, but it did cite the blog I linked to which explained it in full.
      My Computers
    Quote Quote

  8. lehnerus2000
    Posts : 1,811
    W7 Ultimate SP1 (64 bit), LM 19.2 MATE (64 bit), W10 Home 1703 (64 bit), W10 Pro 1703 (64 bit) VM
       New #6

    Microsoft said:
    Windows Defender AV initially flagged the attack’s unusual persistence mechanism through behavior monitoring, which immediately sent this behavior-based signal to our cloud protection service.

    1. Within milliseconds, multiple metadata-based machine learning models in the cloud started blocking these threats at first sight...

    Thanks Bree. :)

    It's a pity the Tara Seals only included the bit , "triggered behavior-based alerts" and not the relevant bit that you posted.

    I thought that "behavior-based alerts" sounded like heuristics, which most (if not all) AV programs claim to include.

    It seems that Telemetry deserves kudos in this case. :)
      My Computer
    Quote Quote

  9. Bree
    Posts : 31,594
    10 Home x64 (22H2) (10 Pro on 2nd pc)
       New #7

    lehnerus2000 said:
    Thanks Bree. :)
    It's a pity the Tara Seals only included the bit , "triggered behavior-based alerts" and not the relevant bit that you posted.
    She did at least include a link to the blog, which is where I got the details.
      My Computers
    Quote Quote

  10. Golden
    Posts : 1,656
    Windows 10 Pro x64
       New #8

    Great find - thanks Ed.
      My Computers
    Quote Quote

 

  Related Discussions
Microsoft Office 365 privacy and telemetry
in Microsoft Office and 365

Brink Is there a comprehensive thread on tenforums (or reddit or elsewhere) that details various registry tweaks and windows settings to enable/disable telemetry and privacy for Office 365? Tutorials on tenforums give plenty of information about...
I will be working on this tutorial by demonstrating through scripts for Windows 10 Professional edition how to remove tracking and monitoring, how each of the components monitor and what they monitor. Microsoft does not explain these components to...
I guess this is not a new question and apologise in advance if I am repeating it but I failed to unearth anything helpful through Search: I upgraded my laptop to Windows 10 one month ago. Reliability Monitor, which I run every day, has advised me...
As per Gordon Kelly,Microsoft has decided to allow users to completely disable telemetry in a future update (later this year) as I see it,this is pretty big news! will Microsoft stick to their word? time will tell......
Read more: Microsoft sets stage for massive Windows 10 upgrade strategy | Computerworld
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

 © Designer Media Ltd
All times are GMT -5. The time now is 06:35.
Find Us




Windows 10 Forums