{"id":3117,"date":"2018-03-12T12:41:59","date_gmt":"2018-03-12T19:41:59","guid":{"rendered":"https:\/\/zed.inguardians.com\/?p=3117"},"modified":"2019-08-19T13:40:42","modified_gmt":"2019-08-19T20:40:42","slug":"dofoil-trojan-variant-used-to-install-cryptocurrency-mining-malware","status":"publish","type":"post","link":"https:\/\/zed.inguardians.com\/brief\/dofoil-trojan-variant-used-to-install-cryptocurrency-mining-malware\/","title":{"rendered":"Dofoil Trojan Variant Used to Install Cryptocurrency-Mining malware"},"content":{"rendered":"<h5 class=\"et_pb_toggle_title\">\u00a0Dofoil trojan variant used to install cryptocurrency-mining malware<\/h5>\n<div class=\"et_pb_toggle_content clearfix\">\n<p><strong>Issue<\/strong><br \/>\nMicrosoft\u2019s Windows Defender Research group identified a new variant of the Win32\/Dofoil remote access trojan which installed a cryptocurrency miner for Electroneum (ETN) coin.<\/p>\n<p><strong>Impact<\/strong><\/p>\n<p dir=\"ltr\">The impact of this trend is severe, due in part to the trojan\u2019s ability to download and execute code on command. \u00a0The Dofoil family of trojans give the attackers full command and control of the compromised system. In addition to crypto mining, the trojan has previously been used to install ransomware and other malicious code.<\/p>\n<p dir=\"ltr\">In this latest attack, Dofoil used a technique known as process hollowing, copying legitimate binaries for explorer.exe and swapping malware in its place.<\/p>\n<p dir=\"ltr\">Many attackers are using cryptocurrency mining as a major revenue stream. \u00a0During the WannaCry outbreak, at least two other groups used the same exploits to install crypto miners and subsequently earn millions of dollars (far better than the WannaCry authors fared.)<\/p>\n<p><strong>Recommendations<\/strong><\/p>\n<p dir=\"ltr\">InGuardians recommends having a robust segmented network, with good instrumentation of inbound and outbound traffic. \u00a0Organizations can use network and host monitoring tools that identify unusual behavior and activity to help identify and contain malware outbreaks. \u00a0Some of the tools that can be used for detection and containment are Bro, Snort, and Windows Defender. Many anti-malware and threat protection services claim to detect and protect against cryptocurrency miners.<\/p>\n<p dir=\"ltr\">Detection of cryptocurrency miners is typically done by identifying the installation, code injection, or persistence mechanisms, as well as the coin mining itself. \u00a0While the miners that we are discussing here are hidden in running processes, there are many implementations of JavaScript miners that run in browsers.<\/p>\n<p dir=\"ltr\">In addition to segmentation and instrumentation, InGuardians recommends having a solid backup and recovery solutions in place. \u00a0These should be tested on a regular basis, with verification of the recovered systems.<\/p>\n<p><strong>Additional Resources<\/strong><\/p>\n<p dir=\"ltr\">Win32\/Dofoil (Microsoft Windows Defender Security Intelligence)<\/p>\n<p dir=\"ltr\"><a href=\"https:\/\/www.microsoft.com\/en-us\/wdsi\/threats\/malware-encyclopedia-description?Name=Win32%2FDofoil\">https:\/\/www.microsoft.com\/en-us\/wdsi\/threats\/malware-encyclopedia-description?Name=Win32%2FDofoil<\/a><\/p>\n<p dir=\"ltr\">DoFoil: Crypto-mining Malware Outbreak Infects 500,000 Computers In One Day (Newsweek)<\/p>\n<p dir=\"ltr\"><a href=\"http:\/\/www.newsweek.com\/crypto-mining-malware-outbreak-infected-500000-computers-single-day-836145\">http:\/\/www.newsweek.com\/crypto-mining-malware-outbreak-infected-500000-computers-single-day-836145<\/a><\/p>\n<p dir=\"ltr\">The State of Malicious Crypto-mining (MalwareBytesBlog)<\/p>\n<p dir=\"ltr\"><a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2018\/02\/state-malicious-cryptomining\/\">https:\/\/blog.malwarebytes.com\/cybercrime\/2018\/02\/state-malicious-cryptomining\/<\/a><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\u00a0Dofoil trojan variant used to install cryptocurrency-mining malware Issue Microsoft\u2019s Windows Defender Research group identified a new variant of the Win32\/Dofoil remote access trojan which installed a cryptocurrency miner for Electroneum (ETN) coin. Impact The impact of this trend is severe, due in part to the trojan\u2019s ability to download and execute code on command. [&hellip;]<\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[169],"tags":[164,109,132,28,130,148,165],"_links":{"self":[{"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/posts\/3117"}],"collection":[{"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/comments?post=3117"}],"version-history":[{"count":1,"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/posts\/3117\/revisions"}],"predecessor-version":[{"id":3118,"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/posts\/3117\/revisions\/3118"}],"wp:attachment":[{"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/media?parent=3117"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/categories?post=3117"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/tags?post=3117"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}