Skip to main content
  1. Home
  2. Computing
  3. News

Windows Defender thwarts major malware attack directed mostly at Russian users

Kevin Parrish
By

On Thursday, March 8, Microsoft said that just before noon on Tuesday, Windows Defender blocked more than 80,000 instances of a massive malware attack that used a trojan called Dofoil, also known as Smoke Loader. Within the following 12 hours, Windows Defender blocked another 400,000 instances. Most of the smoky outbreak took place in Russia (73 percent) followed by Turkey (18 percent) and Ukraine (4 percent). 

Smoke Loader is a trojan that can retrieve a payload from a remote location once it infects a PC. It was last seen in a fake patch for the Meltdown and Spectre processor vulnerabilities, which downloaded various payloads for malicious purposes. But for the current outbreak in Russia and its neighboring countries, Smoke Loader’s payload was a cryptocurrency miner. 

Recommended Videos

“Because the value of Bitcoin and other cryptocurrencies continues to grow, malware operators see the opportunity to include coin mining components in their attacks,” Microsoft stated. “For example, exploit kits are now delivering coin miners instead of ransomware. Scammers are adding coin mining scripts in tech support scam websites. And certain banking trojan families added coin mining behavior.” 

Once on the PC, the Smoke Loader trojan launched a new instance of Explorer in Windows and placed it in a suspended state. The trojan then carved out a portion of the code used it to run in the system memory and filled that blank space with malware. After that, the malware could run undetected and delete the trojan components stored on the PC’s hard drive or SSD. 

Now disguised as the typical Explorer process running in the background, the malware launched a new instance of the Windows Update AutoUpdate Client service. Again, a section of the code was carved out, but coin mining malware filled the blank space instead. Windows Defender caught the miner red-handed because its Windows Update-based disguise ran from the wrong location. Network traffic stemming from this instance constituted highly suspicious activity as well. 

Because Smoke Loader needs an internet connection to receive remote commands, it relies on a command and control server located within the experimental, open-source Namecoin network infrastructure. According to Microsoft, this server tells the malware to sleep for a period of time, connect or disconnect to a specific IP address, download and execute a file from a specific IP address, and so on. 

“For coin miner malware, persistence is key. These types of malware employ various techniques to stay undetected for long periods of time in order to mine coins using stolen computer resources,” Microsoft says. That includes making a copy of itself and hiding out in the Roaming AppData folder and making another copy of itself to access IP addresses from the Temp folder. 

Microsoft says artificial intelligence and behavior-based detection helped thwart the Smoke Loader invasion but the company doesn’t state how victims received the malware. One possible method is the typical email campaign as seen with the recent fake Meltdown/Spectre patch, tricking recipients into downloading and installing/opening attachments.

Topics
Kevin Parrish
Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
The real reason so many laptops have moved to soldered RAM
The Intel 12th-gen Mainboard upgrade for the Framework Laptop.

The completely redesigned Dell XPS 14 and 16 came out this year as two of the most divisive laptops in recent memory. No, it wasn't just the capacitive touch buttons or invisible trackpad that caused an uproar -- it also moved to soldered RAM. This was a big change from the past, where the XPS 15 and 17 were both celebrated for their upgradability.

Of course, Dell isn't the first to make the transition. In fact, they're one of the last, which is what makes the decision so much tougher to swallow. Where soldered RAM was previously limited to just MacBooks and ultrabooks, it's now affecting most high-performance laptops for gaming as well. Even the fantastic ROG Zephyrus G14 moved to soldered memory this year.

Read more
How to check the storage space on your Mac
The About This Mac window showing storage usage, alongside a window offering suggestions on how to save storage spce in MacOS Monterey.

Upgrading storage on your Mac isn't always easy, or even possible, so knowing how much storage space you have, and how to free up more, is a great idea. Often when you buy a Mac, that's the storage you're stuck with -- although external drives and cloud storage are always an option.

Luckily, checking your available storage -- and then freeing up space for the things you want to keep -- is very easy to do. In this guide, we’ll walk you through the process of checking your Mac’s storage space, then show you a few quick ways of clearing out the junk you no longer need.

Read more
How to update your Gmail picture on desktop and mobile
A man holding a teacup staring at laptop screen.

There are lots of reasons why you'd want to change your Gmail profile picture. Maybe you have a great, new selfie you want to show off. Or you just want to update your work email with a photo that's recent and professional-looking. Whatever the reason, we can help you update your Gmail picture in just a few quick steps. We've also got you covered whether you choose to change your photo via Gmail's desktop website or through its mobile app.

Read more