Large-Scale Cryptocurrency Mining Campaign Detected in Russia

Microsoft has reported a large-scale malicious campaign aimed at spreading cryptocurrency mining software. According to the company, the operation began on March 6, 2018. Within the first 12 hours, experts recorded around 500,000 attempts to infect computers. The majority of attacks (73%) targeted Russia, with significant activity also observed in Turkey (18%) and Ukraine (4%).

During this campaign, attackers distributed several trojans from the Dofoil family (also known as Smoke Loader), which downloaded cryptocurrency mining programs onto victims’ computers. The samples analyzed by experts were used to mine Electroneum, but it appears the miner could be configured to mine other cryptocurrencies as well.

How the Dofoil Trojan Infects Computers

To infect a computer, Dofoil uses a technique called Process Hollowing. This method allows attackers to create processes in a suspended state and then replace the process image with one they want to hide. To conceal its presence on the system, the trojan makes changes to the registry. It generates a copy of itself in the Roaming AppData folder, renames it to ditereah.exe, and then creates a new registry key or modifies an existing one to point to the newly created copy of the malware.

For communication with its command-and-control server, the malware uses the Namecoin infrastructure.

What Is Namecoin?

Namecoin is an experimental open-source technology designed to improve decentralization, security, resistance to regulation, privacy, and processing speed for certain components of Internet infrastructure, such as DNS and identification data.