Disruption of a large-scale hacker attack on Windows users

On March ? Windows Defender blocked more than 8?000 copies of several complex Trojans that used sophisticated methods of introducing malicious code into the address space of processes and no less sophisticated mechanisms for ensuring stability and evading detection. Identify a new wave of attempts to infect succeeded thanks to signals from the systems of behavioral analysis in combination with cloud models of machine learning.
 
 
Disruption of a large-scale hacker attack on Windows users
 
 
The Trojans used in the attack were new versions of Dofoil (also known as Smoke Loader). They tried to infect devices with a malicious program for mining crypto currency. Over the next 12 hours, more than 40?000 attacks were recorded, of which 73% are in Russia, 18% in Turkey and 4% in Ukraine.
 
 
 
 
Geographical distribution of the components of the Dofoil attack.
 
 
At the very beginning of the attack, using behavioral monitoring, the Windows Defender antivirus detected an unusual mechanism for the stability and stability of the attack. Antivirus immediately sent the appropriate signal to our cloud security service.
 
 
 
Within a few milliseconds, numerous cloud-based machine learning models based on metadata already blocked the detected threat when it appeared.
 
In a couple of seconds our models of machine learning based on the analysis of samples and detonation confirmed that the program is reasonably attributed to malicious. A few minutes later, models connected with detonation were connected and further confirmed the conclusions of the previous mechanisms.
 
A few minutes after the attack began, the anomaly detection service notified our specialists about a new potential outbreak of infection.
 
After conducting the analysis, the Microsoft Incident Response Team assigned a threat to this new wave to the name corresponding to the classification of the families of malicious programs. Thus, at the very beginning of the company, users received a warning about blocking this threat, in which it appeared under the names assigned to machine learning systems (for example, Fuery, Fuerboos, Cloxer or Azden). Those who were later blocked the threat, saw it under the name of the malware family to which it belongs, that is, Dofoil or Coinminer.
 
 
Users of Windows 1? Windows 8.1 and Windows 7 with the Windows Defender or Microsoft Security Essentials antivirus software are fully protected from this malicious flash.
 
 
 
 
Multilevel protection system based on machine learning in the antivirus program of Windows Defender
 
 
Artificial intelligence and detection of threats based on the analysis of behavior in Windows Defender are the basis of our protection system. Against this attack, a mechanism for proactive protection based on artificial intelligence was applied. This approach is similar to multi-level defense based on machine learning, which allowed to stop the outbreak of Emotet infection last month.
 
 

Code implementation and mining of crypto currency


 
Dofoil - the newest family of malware, which uses in its attacks programs for cryptomaming. The cost of bitcoin and other crypto-currencies remains attractive, and attackers take advantage of the opening opportunities and build the mining components into attacks. For example, modern sets of exploits do not contain extortion programs, but means for minimizing crypto-currency. Scripts for mining are introduced into fraudulent technical support sites, and even some banking Trojans are added with mining functions.
 
 
The starting point of the Dofoil campaign, which we discovered on March ? was a Trojan that replaces the explorer.exe process. Process replacement is a code injection method, in which a new instance of a genuine process is created (in this case c: windowssyswow64explorer.exe) and its code is replaced by malicious code.
 
 
 
 
The detection of the replacement process by the Windows Defender ATP service (SHA-256: d191ee5b20ec95fe65d6708cbb01a6ce72374b309c9bfb7462206a0c7e039f4d, was detected by the Windows Defender antivirus as TrojanDownloader: Win32 /Dofoil.AB)
 
 
The dummy process explorer.exe then creates a second instance of the malicious code that launches the mining program that masks the safe Windows binary file, wuauclt.exe.
 
 
 
 
Detection of malware for the crypto currency by the Widows Defender ATP service (SHA-256: 2b83c69cf32c5f8f43ec2895ec9ac730bf73e1b2f37e44a3cf8ce814fb51f12? was detected by the Windows Defender antivirus as Trojan: Win32 /CoinMiner.D)
 
 
Although a malicious program uses the name of a reliable Windows binary file, it starts from a different location. The command line does not look like the original binary file. In addition, network traffic from this binary file causes suspicion.
 
 
 
 
Windows Defender ATP notification tree: anomalous data exchange over IP protocol
 
 
 
 
Suspicious network activity displayed in the ATP service in Windows Defender
 
 
 
 
The Windows Defender ATP notification process tree: a fictitious process explorer.exe, which creates suspicious connections
 
 
Dofoil uses a specialized application for mining. Judging by the code, this application supports NiceHash, that is, it can lead different crypto currency. The samples analyzed by us were used for mining the crypto currency Electroneum.
 
 

Stability


 
Stability is an important feature of malicious mining software. Such programs use a variety of techniques to remain undetected for a long time and to lead the crypto currency using stolen computing resources.
 
 
To evade detection, Dofoil modifies the registry. The dummy process explorer.exe creates a copy of the original malware in the Roaming AppData folder and renames it to the ditereah.exe file. Then it creates a registry key or changes an existing one to point to a newly created copy of the malware. In the sample we analyzed, the OneDrive Run partition was changed.
 
 
 
 
 
Windows Defender ATP notification tree: create a new malicious process (SHA-256: d191ee5b20ec95fe65d6708cbb01a6ce72374b309c9bfb7462206a0c7e039f4d) and modify the registry
 
 

Exchange of information with management and control servers


 
Dofoil is a stable family of Trojan bootloaders. They connect to the management and monitoring servers (C & C), from which they receive commands for downloading and installing malware. In the March 6 campaign, the Dofoil Trojans used the decentralized network infrastructure to exchange information with management and monitoring servers. Namecoin .
 
 
The dummy process explorer.exe writes and runs another binary file, D1C6.tmp.exe (SHA256: 5f3efdc65551edb0122ab2c40738c48b677b1058f7dfcdb86b05af42a2d8299c), in the Temp folder. This file then creates and runs its copy as lyk.exe. The launched lyk.exe file connects to IP addresses that act as DNS proxy servers for the Namecoin network. Then the file tries to communicate with the control and monitoring server vinik.bit in the NameCoin infrastructure. The management and control server gives the malware the command to connect to or disconnect from the IP address, upload the file by a specific link, launch a specific file or abort its execution, or go into hibernation for a while.
 
 
 
 
Windows Defender ATP notification tree: create a temporary file D1C6.tmp.exe (SHA256: 5f3efdc65551edb0122ab2c40738c48b677b1058f7dfcdb86b05af42a2d8299c)
 
 
 
 
The notification process tree in Windows Defender ATP: connect the lyk.exe file to the IP addresses
 
 

Real-time protection in Windows 10


 
As the cost increases, the cybercriminal group of cybercriminals are making more attacks to penetrate the network and unnoticed mining.
 
 
Antivirus program Windows Defenders A multi-level approach to security. The use of threat detection algorithms based on behavior analysis, universal templates and heuristic analysis, as well as machine learning models on client devices and in the cloud, provides protection against new threats and epidemics in real time.
 
 
As can be seen from the example of this case, the Windows Defender Advanced Threat Protection service ( WDATP ) Signals malicious behavior associated with software installation, code injection, stability mechanisms, and operations for crypto currency mining. Security services can use extensive WDATP libraries to detect abnormal actions on the network and take the necessary measures. WDATP also includes protection from the antivirus program Windows Defender Antivirus, Windows Defender Exploit Guard and Windows Defender Application Guard, simplifying security management.
+ 0 -

Add comment