{"id":11925,"date":"2018-04-04T08:00:31","date_gmt":"2018-04-04T16:00:31","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/04\/04\/news-5694\/"},"modified":"2018-04-04T08:00:31","modified_gmt":"2018-04-04T16:00:31","slug":"news-5694","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/04\/04\/news-5694\/","title":{"rendered":"Hunting down Dofoil with Windows Defender ATP"},"content":{"rendered":"

Credit to Author: Windows Defender ATP| Date: Wed, 04 Apr 2018 15:00:18 +0000<\/strong><\/p>\n

Dofoil<\/a> is a sophisticated threat that attempted to install coin miner malware<\/a> on hundreds of thousands of computers in March, 2018. In previous blog posts we detailed how behavior monitoring and machine learning in Windows Defender AV<\/a> protected customers from a massive Dofoil outbreak<\/a> that we traced back to a software update poisoning campaign<\/a> several weeks prior. Notably, customers of Windows 10 S<\/a>, a special Windows 10 configuration that provides streamlined Microsoft-verified security, were not affected by the Dofoil outbreak.<\/p>\n

<\/p>\n

In this blog post, we will expound on Dofoils anti-debugging and anti-analysis tactics, and demonstrate how the rich detection libraries of Windows Defender Advanced Threat Protection<\/a> and Windows Defender Exploit Guard<\/a> can help during investigation.<\/p>\n

<\/p>\n

We found that Dofoil was designed to be elusive to analysis. It checks its environment and stops running in virtual machine environments. It also checks for various analysis tools and kills them right away. This can make malware analysis and assessment challenging.<\/p>\n

<\/p>\n

The following diagram shows the multi-stage malware execution process, which includes checks for traits of analysis environments during some stages.<\/p>\n

<\/p>\n

\"\"<\/p>\n

<\/p>\n

Figure 1. Dofoil multi-stage shellcode and payload execution flow<\/em><\/p>\n

<\/p>\n

The table below describes the purpose of each stage. The first five stages have at least one or two different techniques that can deter dynamic or static malware analysis.<\/p>\n

<\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n
STAGES<\/strong><\/th>\n

<\/p>\n

DESCRIPTION<\/strong><\/th>\n

<\/tr>\n

<\/p>\n

1. Obfuscated wrapper code<\/strong><\/td>\n

<\/p>\n

Anti-heuristics<\/p>\n

<\/p>\n

Anti-emulation<\/td>\n

<\/tr>\n

<\/p>\n

2. Bootstrap module<\/strong><\/td>\n

<\/p>\n

Performs self-process hollowing to load the next module<\/td>\n

<\/tr>\n

<\/p>\n

3. Anti-debugging module<\/strong><\/td>\n

<\/p>\n

Performs anti-debugging operation<\/td>\n

<\/tr>\n

<\/p>\n

4. Trojan downloader module<\/strong><\/td>\n

<\/p>\n

Performs system environment checks<\/p>\n

<\/p>\n

Performs anti-VM operation<\/p>\n

<\/p>\n

Injects itself to explorer.exe<\/em> through process hollowing<\/td>\n

<\/tr>\n

<\/p>\n

5. Trojan downloader module in explorer.exe<\/em><\/strong><\/td>\n

<\/p>\n

Contacts C&C server to download trojan and run it using process hollowing technique<\/td>\n

<\/tr>\n

<\/p>\n

6. Payload downloader module in explorer.exe<\/em><\/strong><\/td>\n

<\/p>\n

Contacts C&C server to download the main payload<\/td>\n

<\/tr>\n

<\/p>\n

7. Trojan module<\/strong><\/td>\n

<\/p>\n

Steals credentials from various application settings and sends stolen into to the C&C server over HTTP channel<\/td>\n

<\/tr>\n

<\/p>\n

8. CoinMiner.D<\/strong><\/td>\n

<\/p>\n

Mines digital currencies<\/td>\n

<\/tr>\n

<\/tbody>\n

<\/table>\n

<\/p>\n

Table 1. Dofoil’s multi-stage modules<\/em><\/p>\n

<\/p>\n

Initial stages<\/h2>\n

<\/p>\n

The first three stages (i.e., obfuscated wrapper code, bootstrap module, anti-debugging module) use the following techniques to avoid analysis and identification.<\/p>\n

<\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n
ANTI-ANALYSIS TECHNIQUES<\/strong><\/th>\n

<\/p>\n

DESCRIPTION<\/th>\n

<\/tr>\n

<\/p>\n

Benign code insertion<\/strong><\/td>\n

<\/p>\n

Inserts a huge benign code block to confuse heuristics and manual inspection<\/td>\n

<\/tr>\n

<\/p>\n

Anti-emulation<\/strong><\/td>\n

<\/p>\n

Enumerates an arbitrary registry key (HKEY_CLASSES_ROOTInterface{3050F557-98B5-11CF-BB82-00AA00BDCE0B}<\/em>) and compares the data with an expected value (DispHTMLCurrentStyle<\/em>) to check if the malware runs inside an emulator<\/td>\n

<\/tr>\n

<\/p>\n

Self-process hollowing<\/strong><\/td>\n

<\/p>\n

Uses the process hollowing technique on the current process, making analysis extra difficult due to the altered code mapping<\/td>\n

<\/tr>\n

<\/p>\n

Debugger checks<\/strong><\/td>\n

<\/p>\n

Checks for debuggers, and modifies code to crash. This can add additional layer of confusion to researchers, who are bound to investigate the cause of the crashes. It checks for the PEB.BeingDebugged<\/em> and PEB.NtGlobalFlag<\/em> fields in the PEB structure. For example, PEB.BeingDebugged<\/em> is set to 1<\/em> and PEB.NtGlobalFlag<\/em> is set to FLG_HEAP_ENABLE_TAIL_CHECK|FLG_HEAP_ENABLE_FREE_CHECK| FLG_HEAP_VALIDATE_PARAMETERS<\/em> when a debugger is attached to the process.<\/td>\n

<\/tr>\n

<\/tbody>\n

<\/table>\n

<\/p>\n

Table 2. Anti-analysis techniques<\/em><\/p>\n

<\/p>\n

The first stage contains some benign-looking code before the actual malicious code. This can give the executable a harmless appearance. It can also make the emulation of the code difficult because emulating various API calls that are not present in many malware codes can be challenging.<\/p>\n

<\/p>\n

The first-stage code also performs a registry key enumeration to make sure it has the expected value. When all checks are passed, it decodes the second-stage shellcode and runs it on the allocated memory. This shellcode un-maps the original main modules memory, and then decodes the third-stage shellcode into that memory this is known as a self-process hollowing<\/a> technique.<\/p>\n

<\/p>\n

\"\"<\/p>\n

<\/p>\n

Figure 2. Self-modification based on PEB.BeingDebugged<\/em> value<\/p>\n

<\/p>\n

Windows Defender ATPs process tree can help with investigation by exposing these anti-debugging techniques.<\/p>\n

<\/p>\n

\"\"<\/p>\n

<\/p>\n

Figure 3. Windows Defender ATP process tree showing anti-debugging techniques<\/em><\/p>\n

<\/p>\n

Trojan downloader module<\/h2>\n

<\/p>\n

The trojan downloader module performs various environment checks, including virtual environment and analysis tool checks, before downloading the payload.<\/p>\n

<\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n
ANTI-ANALYSIS TECHNIQUES<\/span><\/b><\/th>\n

<\/p>\n

DESCRIPTION<\/th>\n

<\/tr>\n

<\/p>\n

Check module name<\/strong><\/td>\n

<\/p>\n

Checks if the main executable name contains the string “sample”<\/td>\n

<\/tr>\n

<\/p>\n

Check volume serial<\/strong><\/td>\n

<\/p>\n

Checks if current volume serial number is 0xCD1A40<\/em> or 0x70144646<\/em><\/td>\n

<\/tr>\n

<\/p>\n

Check modules<\/strong><\/td>\n

<\/p>\n

Checks the presence of DLLs related to debuggers<\/td>\n

<\/tr>\n

<\/p>\n

Check disk-related registry keys<\/strong><\/td>\n

<\/p>\n

Checks the value of the registry key HKLMSystemCurrentControlSetServicesDiskEnum<\/em> against well-known disk name patterns for virtual machines (qemu<\/em>, virtual<\/em>, vmware<\/em>, xen<\/em>, ffffcce24<\/em>)<\/td>\n

<\/tr>\n

<\/p>\n

Process check<\/strong><\/td>\n

<\/p>\n

Checks running processes and kills those with processes names associated with analysis tools (procexp.exe<\/em>, procexp64.exe<\/em>, procmon.exe<\/em>, procmon64.exe<\/em>, tcpview.exe<\/em>, wireshark.exe<\/em>, processhacker.exe<\/em>, ollydbg.exe<\/em>, idaq.exe<\/em>, x32dbg.exe<\/em>)<\/td>\n

<\/tr>\n

<\/p>\n

Windows class name check<\/strong><\/td>\n

<\/p>\n

Checks the current Windows class names and exits when some well-known names are found (Autoruns<\/em>, PROCEXPL<\/em>, PROCMON_WINDOW_CLASS<\/em>, TCPViewClass<\/em>, ProcessHacker<\/em>, OllyDbg<\/em>, WinDbgFrameClass<\/em>)<\/td>\n

<\/tr>\n

<\/tbody>\n

<\/table>\n

<\/p>\n

Table 3. Anti-analysis techniqueof Dofoil’s trojan downloader module<\/span><\/i><\/em><\/p>\n

<\/p>\n

The list of target process names and Windows class names exist in custom checksum form. The checksum algorithm looks like the following:<\/p>\n

<\/p>\n

\"\"<\/p>\n

<\/p>\n

Figure 4. Shift and XOR custom checksum algorithm<\/em><\/p>\n

<\/p>\n

The purpose of this checksum is to prevent malware researchers from quickly figuring out what analysis tools it detects, making analysis more time-consuming.<\/p>\n

<\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n
STRING<\/th>\n

<\/p>\n

CHECKSUM<\/strong><\/th>\n

<\/tr>\n

<\/p>\n

Autoruns<\/strong><\/td>\n

<\/p>\n

0x0E5C1C5D<\/td>\n

<\/tr>\n

<\/p>\n

PROCEXPL<\/strong><\/td>\n

<\/p>\n

0x1D421B41<\/td>\n

<\/tr>\n

<\/p>\n

PROCMON_WINDOW_CLASS<\/strong><\/td>\n

<\/p>\n

0x4B0C105A<\/td>\n

<\/tr>\n

<\/p>\n

TCPViewClass<\/strong><\/td>\n

<\/p>\n

0x1D4F5C43<\/td>\n

<\/tr>\n

<\/p>\n

ProcessHacker<\/strong><\/td>\n

<\/p>\n

0x571A415E<\/td>\n

<\/tr>\n

<\/p>\n

OllyDbg<\/strong><\/td>\n

<\/p>\n

0x4108161D<\/td>\n

<\/tr>\n

<\/p>\n

WinDbgFrameClass <\/strong><\/td>\n

<\/p>\n

0x054E1905<\/td>\n

<\/tr>\n

<\/p>\n

procexp.exe <\/strong><\/td>\n

<\/p>\n

0x19195C02<\/td>\n

<\/tr>\n

<\/p>\n

procexp64.exe <\/strong><\/td>\n

<\/p>\n

0x1C0E041D<\/td>\n

<\/tr>\n

<\/p>\n

procmon.exe <\/strong><\/td>\n

<\/p>\n

0x06185D0B<\/td>\n

<\/tr>\n

<\/p>\n

procmon64.exe <\/strong><\/td>\n

<\/p>\n

0x1D07120A<\/td>\n

<\/tr>\n

<\/p>\n

tcpview.exe <\/strong><\/td>\n

<\/p>\n

0x060B5118<\/td>\n

<\/tr>\n

<\/p>\n

wireshark.exe <\/strong><\/td>\n

<\/p>\n

0x550E1E0D<\/td>\n

<\/tr>\n

<\/p>\n

processhacker.exe <\/strong><\/td>\n

<\/p>\n

0x51565C47<\/td>\n

<\/tr>\n

<\/p>\n

ollydbg.exe <\/strong><\/td>\n

<\/p>\n

0x04114C14<\/td>\n

<\/tr>\n

<\/p>\n

x32dbg.exe <\/strong><\/td>\n

<\/p>\n

0x5F4E5C04<\/td>\n

<\/tr>\n

<\/p>\n

idaq.exe <\/strong><\/td>\n

<\/p>\n

0x14585A12<\/td>\n

<\/tr>\n

<\/tbody>\n

<\/table>\n

<\/p>\n

Table 4. String checksum table used for process names and Windows class names<\/em><\/p>\n

<\/p>\n

Process hollowing<\/h2>\n

<\/p>\n

Dofoil heavily uses the process hollowing<\/a> technique. Its main target for process hollowing is explorer.exe. The Dofoil shellcode launches a new instance of explorer.exe, allocates shellcode in heap region, and then modifies the entry point code to jump into the shellcode. This way, the malware avoids using CreateRemoteThread<\/em> API, but can still achieve code injection.<\/p>\n

<\/p>\n

\"\"<\/p>\n

<\/p>\n

Figure 5. Modification of <\/em>explorer.exe entry point code<\/em><\/p>\n

<\/p>\n

Windows Defender ATP can detect the process hollowing behavior with advanced memory signals. The following process tree shows that the malware injects itself into explorer.exe using the process hollowing technique.<\/p>\n

<\/p>\n

\"\"<\/p>\n

<\/p>\n

Figure 6. Windows Defender ATP alert process tree showing the first process hollowing<\/em><\/p>\n

<\/p>\n

When the shellcode downloads another layer of payload, it spawns another explorer.exe to inject the payload into using process hollowing. Windows Defender ATP can save analysis time on these cases by pinpointing the malicious actions, eliminating the need for guessing what these newly spawned Windows system processes are doing.<\/p>\n

<\/p>\n

\"\"<\/p>\n

<\/p>\n

Figure 7. Windows Defender ATP alert process tree showing the second process hollowing<\/em><\/p>\n

<\/p>\n

The process hollowing behavior can be detected through Exploit protection<\/a> in Windows Defender Exploit Guard<\/a>. This can be done by enabling the Export Address Filter (EAF) mitigation against explorer.exe. The detection happens when the shellcode goes through the export addresses of the modules to find the export address of the LoadLibraryA and GetProcAddress functions.<\/p>\n

<\/p>\n

\"\"<\/p>\n

<\/p>\n

Figure 8. Export Address Filter (EAF) event exposed in Event viewer<\/em><\/p>\n

<\/p>\n

Windows Defender Exploit Guard events are also exposed in the Windows Defender ATP portal:<\/p>\n

<\/p>\n

\"\"<\/p>\n

<\/p>\n

Figure 9. Windows Defender ATP view of the Windows Defender Exploit Guard event<\/em><\/p>\n

<\/p>\n

Adding Windows Defender Exploit Guard EAF audit\/block policy to common system processes like explorer.exe, cmd.exe, or verclsid.exe can be useful in finding and blocking process hollowing or process injection techniques commonly used by malware. This policy can impact third-party apps that may behave like shellcode, so we recommend testing Windows Defender Exploit Guard with audit mode<\/a> enabled before enforcement.<\/p>\n

<\/p>\n

Command-and-control (C&C) and NameCoin domains<\/h2>\n

<\/p>\n

Dofoils C&C connection is very cautious. The trojan code first tries to connect to well-known web pages and verifies that the malware has proper and real Internet connection, not simulated as in test environments. After it makes sure it has a real Internet connection, the malware makes HTTP connections to the actual C&C servers.<\/p>\n

<\/p>\n

\"\"<\/p>\n

<\/p>\n

Figure 10. Access to known servers to confirm Internet connectivity<\/em><\/p>\n

<\/p>\n

The malware uses NameCoin domain name servers. NameCoin is a decentralized name server system that provides extra privacy backed by blockchain technology. Except for the fact that the DNS client needs to use specific sets of NameCoin DNS servers, the overall operation is very similar to a normal DNS query. Because NameCoin uses blockchain technology, you can query the history of the domain name changes through blocks.<\/p>\n

<\/p>\n

\"\"<\/p>\n

<\/p>\n

Figure 11. Malicious hostname DNS entry changes over time (https:\/\/namecha.in\/name\/d\/vrubl<\/a>)<\/em><\/p>\n

<\/p>\n

Windows Defender ATP can provide visibility into the malwares network activities. The following alert process tree shows the malwares .bit domain resolution activity and, after that, the connections to the resolved C&C servers. You can also view other activities from the executable, for example, its connections to other servers using SMTP ports.<\/p>\n

<\/p>\n

\"\"<\/p>\n

<\/p>\n

Figure 12. Windows Defender ATP alert process tree showing C&C server connection through NameCoin server name resolution<\/em><\/p>\n

<\/p>\n

The Windows Defender ATP advanced hunting feature, which is currently in preview, can be used to hunt down more malware samples that possibly abuse NameCoin servers. For example, the following query will let you view recent connections observed in the network. This can lead to extra insights on other threats that use the same NameCoin servers.<\/p>\n

<\/p>\n

\"\"<\/p>\n

<\/p>\n

Figure 13. Advanced hunting for other threats using the same NameCoin servers<\/em><\/p>\n

<\/p>\n

The purpose of using NameCoin is to prevent easy sinkholing of the domains. Because there are no central authorities on the NameCoin domain name records, it is not possible for the authorities to change the domain record. Also, malware abusing NameCoin servers use massive numbers of NameCoin DNS servers to make full shutdown of those servers very difficult.<\/p>\n

<\/p>\n

Conclusion<\/h2>\n

<\/p>\n

Dofoil is a very evasive malware. It has various system environment checks and tests Internet connectivity to make sure it runs on real machines, not in analysis environments or virtual machines. This can make the analysis time-consuming and can mislead malware analysis systems.<\/p>\n

<\/p>\n

In attacks like the Dofoil outbreak, Windows Defender Advanced Threat Protection (Windows Defender ATP<\/a>) can help network defenders analyze the timeline from the victim machine and get rich information on process execution flow, C&C connections, and process hollowing activities. Windows Defender ATP can be used as an analysis platform with fine-tuned visibility into system activities when set up in a lab environment. This can save time and resource during malware investigation.<\/p>\n

<\/p>\n

In addition, Windows Defender Exploit Guard<\/a> can be useful in finding malicious shellcodes that traverse export address tables. Windows Defender Exploit Guard can be an excellent tool for finding and blocking malware and exploit activities.<\/p>\n

<\/p>\n

Windows Defender Exploit Guard events are surfaced in the Windows Defender ATP portal, which integrates protections from other Microsoft solutions, including Windows Defender AV<\/a> and Windows Defender Application Guard<\/a>. This integrated security management experience makes Windows Defender ATP a comprehensive solution for detecting and responding to a wide range of malicious activities across the network.<\/p>\n

<\/p>\n

Windows 10 S<\/a>, a special configuration of Windows 10, locks down devices against Dofoil and other attacks by working exclusively with apps from the Microsoft Store and using Microsoft Edge as the default browser. This streamlined, Microsoft-verified platform seals common malware entry points.<\/p>\n

<\/p>\n

To test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced attacks, sign up for a free trial<\/a><\/strong>.<\/p>\n

<\/p>\n

 <\/p>\n

<\/p>\n

 <\/p>\n

<\/p>\n

Matt Oh, Stefan Sellmer, Jonathan Bar Or, Mark Wodrich<\/em>
Windows Defender ATP Research<\/em><\/strong><\/p>\n

<\/p>\n

 <\/p>\n

<\/p>\n

 <\/p>\n

<\/p>\n

Indicators of compromise (IoCs)<\/h2>\n

<\/p>\n

TrojanDownloader:Win32\/Dofoil.AB:<\/strong><\/p>\n

<\/p>\n

d191ee5b20ec95fe65d6708cbb01a6ce72374b309c9bfb7462206a0c7e039f4d<\/p>\n

<\/p>\n

eaa63f6b500afedcaeb8d5b18a08fd6c7d95695ea7961834b974e2a653a42212<\/p>\n

<\/p>\n

cded7aedca6b54a6d4273153864a25ccad35cba5cafeaec828a6ad5670a5973a<\/p>\n

<\/p>\n

Trojan:Win32\/Dofoil.AB:<\/strong><\/p>\n

<\/p>\n

070243ad7fb4b3c241741e564039c80ca65bfdf15daa4add70d5c5a3ed79cd5c<\/p>\n

<\/p>\n

5f3efdc65551edb0122ab2c40738c48b677b1058f7dfcdb86b05af42a2d8299C<\/p>\n

<\/p>\n

28ce9763a808c4a7509e9bf92d9ca80212a241dfa1aecd82caedf1f101eac692<\/p>\n

<\/p>\n

5d7875abbbf104f665a0ee909c372e1319c5157dfc171e64ac2bc8b71766537f<\/p>\n

<\/p>\n

Trojan:Win32\/CoinMiner.D<\/strong><\/p>\n

<\/p>\n

2b83c69cf32c5f8f43ec2895ec9ac730bf73e1b2f37e44a3cf8ce814fb51f12<\/p>\n

<\/p>\n

C&C URLs:<\/strong><\/p>\n

<\/p>\n

hxxp:\/\/levashov.bit\/15022018\/<\/p>\n

<\/p>\n

hxxp:\/\/vrubl.bit\/15022018\/<\/p>\n

<\/p>\n

C&C server:<\/strong><\/p>\n

<\/p>\n

vinik.bit<\/p>\n

<\/p>\n

Related .bit domains (updated in same block as C&C server):<\/strong><\/p>\n

<\/p>\n

henkel.bit<\/p>\n

<\/p>\n

makron.bit<\/p>\n

<\/p>\n

makronwin.bit<\/p>\n

<\/p>\n

NameCoin servers used by Dofoil:<\/strong><\/p>\n

<\/p>\n

139.59.208.246<\/p>\n

<\/p>\n

130.255.73.90<\/p>\n

<\/p>\n

31.3.135.232<\/p>\n

<\/p>\n

52.174.55.168<\/p>\n

<\/p>\n

185.121.177.177<\/p>\n

<\/p>\n

185.121.177.53<\/p>\n

<\/p>\n

62.113.203.55<\/p>\n

<\/p>\n

144.76.133.38<\/p>\n

<\/p>\n

169.239.202.202<\/p>\n

<\/p>\n

5.135.183.146<\/p>\n

<\/p>\n

142.0.68.13<\/p>\n

<\/p>\n

103.253.12.18<\/p>\n

<\/p>\n

62.112.8.85<\/p>\n

<\/p>\n

69.164.196.21<\/p>\n

<\/p>\n

107.150.40.234<\/p>\n

<\/p>\n

162.211.64.20<\/p>\n

<\/p>\n

217.12.210.54<\/p>\n

<\/p>\n

89.18.27.34<\/p>\n

<\/p>\n

193.183.98.154<\/p>\n

<\/p>\n

51.255.167.0<\/p>\n

<\/p>\n

91.121.155.13<\/p>\n

<\/p>\n

87.98.175.85<\/p>\n

<\/p>\n

185.97.7.7<\/p>\n

<\/p>\n

 <\/p>\n

<\/p>\n

 <\/p>\n

<\/p>\n

\n

<\/p>\n

Talk to us<\/strong><\/h4>\n

<\/p>\n

Questions, concerns, or insights on this story? Join discussions at the Microsoft community<\/a> and Windows Defender Security Intelligence<\/a>.<\/p>\n

<\/p>\n

Follow us on Twitter @WDSecurity<\/a> and Facebook Windows Defender Security Intelligence<\/a>.<\/p>\n

<\/p>\n

 <\/p>\n

<\/p>\n

 <\/p>\n


https:\/\/blogs.technet.microsoft.com\/mmpc\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Windows Defender ATP| Date: Wed, 04 Apr 2018 15:00:18 +0000<\/strong><\/p>\n

Dofoil is a sophisticated threat that attempted to install coin miner malware on hundreds of thousands of computers in March, 2018. In previous blog posts we detailed how behavior monitoring and machine learning in Windows Defender AV protected customers from a massive Dofoil outbreak that we traced back to a software update poisoning campaign several <\/p>\n

Read more<\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10759,10378],"tags":[18016,11572,16598,4500,10839,10803,17771,18017,10525,10761,17261,11774,10865,17194,17195],"class_list":["post-11925","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-security","tag-advanced-hunting","tag-coinminer","tag-cryptocurrency-mining","tag-cybersecurity","tag-dofoil","tag-malware-research","tag-namecoin","tag-process-hollowing","tag-windows","tag-windows-10","tag-windows-10-s","tag-windows-defender-antivirus","tag-windows-defender-atp","tag-windows-defender-av","tag-windows-defender-exploit-guard"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11925","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=11925"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11925\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=11925"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=11925"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=11925"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}