In a blog post published
on Wednesday, Microsoft said their Windows Defender antivirus
software helped in the prevention of a massive cryptocurrency
malware attack from spreading across the globe.
Just before the noon of March 6, it did so by blocking
around 80,000 instances of “several sophisticated trojans that
exhibited advanced cross-process infection techniques,
persistence mechanisms, and evasion methods.”
The Trojans were new variants of Dofoil (aka Smoke
Loader) and carried a coin miner payload. Within the next
12-hour period, more than 400,000 instances were recorded by
their systems. The attack mostly targeted computers in Russia
(73%), Turkey (18%), and Ukraine (4%).
Microsoft said the advanced machine learning models that power
their cloud protection service triggered the blocking of
malware within milliseconds after it was detected by Windows
“People affected by these infection attempts early in the
campaign would have seen blocks under machine learning names
like Fuery, Fuerboos, Cloxer, or Azden. Later blocks show as
the proper family names, Dofoil or Coinminer.”
With the rise in the value and popularity of cryptocurrencies
like Bitcoin, the attackers are motivated than ever to
integrate coin miners in their attacks. In fact, crypto miners
have posed themselves as an alternative to ransomware.
In total, the malware campaign targeted close to 500,000
computers in different regions. Various Microsoft operating
systems including Windows 7, Windows 8.1, and Windows 10
running Windows Defender or Microsoft Security Essentials are
now safe from the threat.