Dofoil trojan variant used to install cryptocurrency-mining malware

Issue
Microsoft’s Windows Defender Research group identified a new variant of the Win32/Dofoil remote access trojan which installed a cryptocurrency miner for Electroneum (ETN) coin.

Impact

The impact of this trend is severe, due in part to the trojan’s ability to download and execute code on command.  The Dofoil family of trojans give the attackers full command and control of the compromised system. In addition to crypto mining, the trojan has previously been used to install ransomware and other malicious code.

In this latest attack, Dofoil used a technique known as process hollowing, copying legitimate binaries for explorer.exe and swapping malware in its place.

Many attackers are using cryptocurrency mining as a major revenue stream.  During the WannaCry outbreak, at least two other groups used the same exploits to install crypto miners and subsequently earn millions of dollars (far better than the WannaCry authors fared.)

Recommendations

InGuardians recommends having a robust segmented network, with good instrumentation of inbound and outbound traffic.  Organizations can use network and host monitoring tools that identify unusual behavior and activity to help identify and contain malware outbreaks.  Some of the tools that can be used for detection and containment are Bro, Snort, and Windows Defender. Many anti-malware and threat protection services claim to detect and protect against cryptocurrency miners.

Detection of cryptocurrency miners is typically done by identifying the installation, code injection, or persistence mechanisms, as well as the coin mining itself.  While the miners that we are discussing here are hidden in running processes, there are many implementations of JavaScript miners that run in browsers.

In addition to segmentation and instrumentation, InGuardians recommends having a solid backup and recovery solutions in place.  These should be tested on a regular basis, with verification of the recovered systems.

Additional Resources

Win32/Dofoil (Microsoft Windows Defender Security Intelligence)

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32%2FDofoil

DoFoil: Crypto-mining Malware Outbreak Infects 500,000 Computers In One Day (Newsweek)

http://www.newsweek.com/crypto-mining-malware-outbreak-infected-500000-computers-single-day-836145

The State of Malicious Crypto-mining (MalwareBytesBlog)

https://blog.malwarebytes.com/cybercrime/2018/02/state-malicious-cryptomining/