Dofoil Trojan used to deploy cryptocurrency miner on more than 500,000 PCs in a few hours

Pierluigi Paganini March 09, 2018

Microsoft experts observed more than more than 500,000 computers infected with Dofoil Trojan used to download a cryptocurrency miner.

A few days ago, researchers at Microsoft announced that Windows Defender Antivirus blocked more than 80,000 instances of several malicious code that exhibited advanced cross-process injection techniques, persistence mechanisms, and evasion methods.

According to Microsoft, the malware were new variants of Dofoil (also known as Smoke Loader), a small application used to download other malicious codes, in these specific attacks a coin miner. The cryptocurrency miner payload was used to mine Electroneum coins.

In Just 12 hours from the discovery, the experts observed more than 400,000 instances, most of them in Russia (73%), Turkey (18%) and Ukraine (4%).
Totally more than 500,000 computers were infected within just 12 hours.


The Dofoil trojan uses an old code injection technique called ‘process hollowing’ that was recently observed by researchers at CSE CybSec implemented in evolutive versions by another malware.

“The trojans, which are new variants of Dofoil (also known as Smoke Loader), carry a coin miner payload. Within the next 12 hours, more than 400,000 instances were recorded, 73% of which were in Russia. Turkey accounted for 18% and Ukraine 4% of the global encounters.” reads the analysis published by Microsoft.

“The Dofoil campaign we detected on March 6 started with a trojan that performs process hollowing on explorer.exe. Process hollowing is a code injection technique that involves spawning a new instance of legitimate process (in this case c:\windows\syswow64\explorer.exe) and then replacing the legitimate code with malware.”

The analysis of the Dofoil malware revealed it uses a customized mining application that supports NiceHash allowing infected systems to mine different cryptocurrencies even if the samples Microsoft analyzed mined Electroneum coins.

The malware gain persistence on an infected system through the Windows registry, hollowed explorer.exe process creates a copy of the original malware in the Roaming AppData folder and renames it to ditereah.exe. The malicious code then creates/modifies a registry key to modify an existing one to point to the newly created malware copy.

Threat actors behind the Dofoil campaign used a command and control (C&C) server hosted on decentralized Namecoin network infrastructure.

“The C&C server commands the malware to connect or disconnect to an IP address; download a file from a certain URL and execute or terminate the specific file; or sleep for a period of time.” states Microsoft.

Microsoft confirmed that its Windows Defender Antivirus is a crucial component for detecting and blocking advanced threats.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Dofoil, cryptocurrency miner)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment