The trend of hijacking unsuspecting users computer to mine cryptocurrency continues, and the attacks take different forms. On March 6th, Windows Defender Anti-Virus (AV) detected and largely blocked a malware that infected nearly 500,000 computers and installed cryptocurrency miner code without the knowledge of users.
Cryptocurrency mining is a complex, resource-intensive, and competitive process. A combination of specially designed hardware, special-purpose software, and their users is called “Miner”. A miner is successful when he creates a new block in the blockchain underlying the particular cryptocurrency. Miners get a small fraction of the cryptocurrency when they are successful in creating a new block. Since miners are rewarded in this way for creating new blocks, the process is highly competitive. To create a new block, a miner has to solve a cryptographic puzzle, essentially by executing massive number-crunching operations very fast, in a competitive environment. This is why the software is typically very powerful, and the hardware also has to be powerful enough to support the software. Miners often use Graphics Processing Units (GPUs) along with the Central Processing Unit (CPU) of the computer. How resource-intensive is cryptocurrency mining? Consider this: by the end of 2018, energy consumed by cryptocurrency mining operations in Iceland will surpass the entire domestic energy consumption in the country!
While the early adopters of cryptocurrency mining had good return on investment (RoI), as time wears on, the RoI diminishes, due to increasing competition. Also, consider the fact that usually there is a cap on the maximum number of a cryptocurrency, for e.g. 21 million for Bitcoin, and you can see that in future the RoI from mining will diminish further. The economics of mining is such that unscrupulous miners will want to grab other people’s computing power to mine cryptocurrencies, since doing so gives them access to larger computing powers and increase their chances of success. Cryptocurrency mining code being highly resource-intensive, it can slow down the computer or even damage it. For a user who is not into cryptocurrency mining, having her computer hijacked by miners can be very irritating, and potentially damaging.
In the particular instance on March 6th, the malware worked in the following manner:
- It was a Dofoil malware, which is also called ‘Smoke Loader‘.
- It used a customized mining application, in this case for Electroneum coin. This crypto token can be mined using phones, which may have provided additional incentives to the hackers.
- It spawned a new instance of a legitimate process thus tricking the process monitoring tools, but the malicious code ran instead of original one.
- It then created a second malicious instance that installed a crypto mining malware posing as a valid Windows binary.
- To use the computer for mining operation for a lengthy period of time, the Dofoil malware modified the Windows registry.
- Dofoil also connected to a remote command and control server to listen for new command including installing additional malware.
Out the nearly 500,000 computers infected, 73% were in Russia, 18% in Turkey, and 4% in Ukraine. The attack continued for 12 hours.
Windows Defender AV first noticed more than 80,000 instances of Dofoil instances, which raised the alarm immediately, and further 400,000 instances were recorded within the next 12 hours. Microsoft states that their behavior-based and cloud-powered machine learning (ML) models detected the new malware within milliseconds. The ML models identified these as malicious threats within seconds and started to actively block these within minutes.
As reported earlier, Google‘s popular ad serving service DoubleClick was attacked by Monero cryptocurrency miners in January 2018. In December 2017, an American, Noah Dinkin, while visiting a Starbucks coffee shop in Buenos Aires, Argentina, found crypto miner for Monero installed in his laptop when he connected to the WiFi in the shop. Even earlier, a player of the popular online game Fortnite had distributed Bitcoin mining code to the other players.
Companies specializing on cyber security, for e.g. Trend Micro, recommends regularly updating one’s computer with the latest patches. In case of this Dofoil attack too, Microsoft claimed that their ML models have successfully identified the threat, and all computers with Windows Defender AV are now automatically protected.