Skip to main content

Windows Defender thwarts major malware attack directed mostly at Russian users

On Thursday, March 8, Microsoft said that just before noon on Tuesday, Windows Defender blocked more than 80,000 instances of a massive malware attack that used a trojan called Dofoil, also known as Smoke Loader. Within the following 12 hours, Windows Defender blocked another 400,000 instances. Most of the smoky outbreak took place in Russia (73 percent) followed by Turkey (18 percent) and Ukraine (4 percent). 

Smoke Loader is a trojan that can retrieve a payload from a remote location once it infects a PC. It was last seen in a fake patch for the Meltdown and Spectre processor vulnerabilities, which downloaded various payloads for malicious purposes. But for the current outbreak in Russia and its neighboring countries, Smoke Loader’s payload was a cryptocurrency miner. 

“Because the value of Bitcoin and other cryptocurrencies continues to grow, malware operators see the opportunity to include coin mining components in their attacks,” Microsoft stated. “For example, exploit kits are now delivering coin miners instead of ransomware. Scammers are adding coin mining scripts in tech support scam websites. And certain banking trojan families added coin mining behavior.” 

Once on the PC, the Smoke Loader trojan launched a new instance of Explorer in Windows and placed it in a suspended state. The trojan then carved out a portion of the code used it to run in the system memory and filled that blank space with malware. After that, the malware could run undetected and delete the trojan components stored on the PC’s hard drive or SSD. 

Now disguised as the typical Explorer process running in the background, the malware launched a new instance of the Windows Update AutoUpdate Client service. Again, a section of the code was carved out, but coin mining malware filled the blank space instead. Windows Defender caught the miner red-handed because its Windows Update-based disguise ran from the wrong location. Network traffic stemming from this instance constituted highly suspicious activity as well. 

Because Smoke Loader needs an internet connection to receive remote commands, it relies on a command and control server located within the experimental, open-source Namecoin network infrastructure. According to Microsoft, this server tells the malware to sleep for a period of time, connect or disconnect to a specific IP address, download and execute a file from a specific IP address, and so on. 

“For coin miner malware, persistence is key. These types of malware employ various techniques to stay undetected for long periods of time in order to mine coins using stolen computer resources,” Microsoft says. That includes making a copy of itself and hiding out in the Roaming AppData folder and making another copy of itself to access IP addresses from the Temp folder. 

Microsoft says artificial intelligence and behavior-based detection helped thwart the Smoke Loader invasion but the company doesn’t state how victims received the malware. One possible method is the typical email campaign as seen with the recent fake Meltdown/Spectre patch, tricking recipients into downloading and installing/opening attachments.

Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
Apple Memorial Day sales: Save on Apple Watch, iPad, MacBook, and more
The 14-inch MacBook Pro with M3 Max chip seen from behind.

Most of this year's Memorial Day deals are set to launch very soon, but if you want to get your shopping for Apple devices done early, we're here to help you out with this roundup of the early Apple Memorial Day sales that are already available. Whether you're planning to buy a new iPad, iPhone, AirPods, MacBook, or Apple Watch, we've got some excellent bargains below. If anything catches your eye. it's highly recommended that you complete your purchase as soon as possible because there's no telling how soon these offers will expire -- some may not even make it to Memorial Day itself!
Best Memorial Day iPad deals

Memorial Day is one of the best times of the year to search for iPad deals. There are some fantastic discounts that are available across a variety of models of Apple's tablet, including the entry-level Apple iPad and the creatives-focused Apple iPad Pro, so whatever your purpose is for thinking about getting an iPad, there won't be any shortage of options for you here.

Read more
I ask again: Will Apple ever merge the Mac and iPad?
An Apple iPad and a MacBook together on a desk alongside a pair of headphones.

Every few months, we hear the same argument being made: Apple should bring the Mac and the iPad closer together -- or even merge them and their operating systems completely -- to create some sort of hybrid device that would solve all of Apple’s problems. While I don’t entirely agree with these assessments, they do provide an interesting look into how your Apple devices might work in the coming years.

Bloomberg’s Mark Gurman is the latest to throw his hat into the ring, and the reporter’s Power On newsletter has detailed what he believes Apple should do to shape the future of the Mac and the iPad.

Read more
HP just reset its entire PC lineup
The HP OmniBook X AI PC.

In the new AI PC era, HP is starting fresh with an entirely new branding structure to highlight the power and performance of a fresh set of computers.

While many people may be familiar with the company’s Pavilion, Envy, and Spectre products on the consumer side and the Dragonfly devices for enterprise options, HP will now retire these lines and overhaul its options under two main lines: consumer and commercial. These include the Omni brand for consumers and the Elite brand for commercial. The company unveiled its inaugural products for each line, the HP OmniBook X AI PC and HP EliteBook Ultra AI PC, on Monday during Microsoft’s AI Vision event. I got to see the new devices ahead of the event and check out how this new branding and design looks in person.
A new beginning
These models will be the beginning of an overall brand expansion for HP. On the consumer side, the company plans to have several forms and tiers of Omni products with the goal of making customer selection simpler. Notably, HP plans to keep its Omen gaming PC brand intact during this restructuring.

Read more