Skip to main content

Windows Defender thwarts major malware attack directed mostly at Russian users

On Thursday, March 8, Microsoft said that just before noon on Tuesday, Windows Defender blocked more than 80,000 instances of a massive malware attack that used a trojan called Dofoil, also known as Smoke Loader. Within the following 12 hours, Windows Defender blocked another 400,000 instances. Most of the smoky outbreak took place in Russia (73 percent) followed by Turkey (18 percent) and Ukraine (4 percent). 

Smoke Loader is a trojan that can retrieve a payload from a remote location once it infects a PC. It was last seen in a fake patch for the Meltdown and Spectre processor vulnerabilities, which downloaded various payloads for malicious purposes. But for the current outbreak in Russia and its neighboring countries, Smoke Loader’s payload was a cryptocurrency miner. 

Related Videos

“Because the value of Bitcoin and other cryptocurrencies continues to grow, malware operators see the opportunity to include coin mining components in their attacks,” Microsoft stated. “For example, exploit kits are now delivering coin miners instead of ransomware. Scammers are adding coin mining scripts in tech support scam websites. And certain banking trojan families added coin mining behavior.” 

Once on the PC, the Smoke Loader trojan launched a new instance of Explorer in Windows and placed it in a suspended state. The trojan then carved out a portion of the code used it to run in the system memory and filled that blank space with malware. After that, the malware could run undetected and delete the trojan components stored on the PC’s hard drive or SSD. 

Now disguised as the typical Explorer process running in the background, the malware launched a new instance of the Windows Update AutoUpdate Client service. Again, a section of the code was carved out, but coin mining malware filled the blank space instead. Windows Defender caught the miner red-handed because its Windows Update-based disguise ran from the wrong location. Network traffic stemming from this instance constituted highly suspicious activity as well. 

Because Smoke Loader needs an internet connection to receive remote commands, it relies on a command and control server located within the experimental, open-source Namecoin network infrastructure. According to Microsoft, this server tells the malware to sleep for a period of time, connect or disconnect to a specific IP address, download and execute a file from a specific IP address, and so on. 

“For coin miner malware, persistence is key. These types of malware employ various techniques to stay undetected for long periods of time in order to mine coins using stolen computer resources,” Microsoft says. That includes making a copy of itself and hiding out in the Roaming AppData folder and making another copy of itself to access IP addresses from the Temp folder. 

Microsoft says artificial intelligence and behavior-based detection helped thwart the Smoke Loader invasion but the company doesn’t state how victims received the malware. One possible method is the typical email campaign as seen with the recent fake Meltdown/Spectre patch, tricking recipients into downloading and installing/opening attachments.

Editors' Recommendations

This popular gaming laptop with an RTX 3050 Ti is surprisingly cheap
A person using the Asus TUF F15 gaming laptop.

One of the best laptop deals for gaming and is over at Best Buy. You can buy the Asus TUF Gaming A15 gaming laptop for $800 with a chunky saving of $280 compared to its usual price of $1,080. One of the best gaming laptop deals around for anyone on a budget but still keen to game, let's take a quick look at why the Asus TUF Gaming A15 gaming laptop is worth it. Remember -- it won't stay this price forever.

Why you should buy the Asus TUF Gaming A15 gaming laptop
The Asus TUF Gaming A15 gaming laptop won't rival the very best gaming laptops but that's hardly surprising at this price. What it does offer is great value for money. It has an AMD Ryzen 7 6800H processor along with 8GB of memory and 512GB of SSD storage. More memory would definitely be useful in a gaming laptop but everything else is pretty good. For the graphics card, there's an Nvidia GeForce RTX 3050 Ti card which means you'll be able to play most games provided you don't mind adjusting the detail level a little with the more high-end ones. Paired with that is the laptop's 15.6-inch full HD screen with a 144Hz refresh rate. It features adaptive sync to cut down on screen tearing so you can play speedy games without an issue.

Read more
Good news — Nvidia’s RTX 4070 might not be a lost cause after all
The RTX 4070 Ti graphics card on a pink background.

We've got some tentative good news on Nvidia's upcoming RTX 4070 -- it might not be as expensive as it was originally assumed. While Moore's Law Is Dead claimed the GPU would cost at least $750, today's scoop shows that the YouTuber may have been wrong.

A new report tells us that Nvidia will set the price of the RTX 4070 to $600. That would be much more reasonable, but will the card's performance be impressive enough to make it rank well among the best GPUs in 2023?

Read more
GPT-4: how to use, new features, availability, and more
A laptop opened to the ChatGPT website.

ChatGPT-4 has officially arrived, confirming the longtime rumors around its improvements to the already incredibly impressive language skills of OpenAI's ChatGPT.

OpenAI calls it the company's "most advanced system, producing safer and more useful responses." Here's everything you need to know about it, including how to use it and what it can do.

Read more