On March 6th, Microsoft managed to stop a dangerous cryptocurrency miner malware that could have infected over half a million Windows PCs in a matter of hours.
Thanks to Microsoft Windows Defender which detected 80,000 instances of the cryptocurrency miner trojan known as Smoke Leader or Dofoil, the bad guys won’t be given a chance to use victims’ CPU power to fill their digital wallets.
A couple of hours later that day, another 400,000 instances of the malware were detected in Turkey, Russia, and Ukraine.
Mark Simos, a cybersecurity architect at Microsoft, unveiled that the malware pretends to be a legitimate Windows binary file.
The technique it uses is called ‘process hollowing’. Basically, this means it creates a new instance of the legitimate binary, then replaces the code with malware. This fools a lot of antivirus software into thinking the software is not malicious.
Interestingly, file-encrypting ransomware may slowly become a thing of the past, since in a lot of cases, cryptocurrency miner malware turns out to be a much more appealing, and lucrative, option for the bad guys. One of the reasons is that a victim whose device is infected with ransomware might simply decide not to pay, while hijacking the victim’s computer resources and using them for mining is something to count upon in terms of efficiency.
Reportedly, Windows Defender was able to the detect the malware within moments. Even though the malware’s developers went to great lengths to conceal it, it does have a weak point of running from the wrong location.