{"id":11723,"date":"2018-03-13T15:46:57","date_gmt":"2018-03-13T23:46:57","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/03\/13\/news-5493\/"},"modified":"2018-03-13T15:46:57","modified_gmt":"2018-03-13T23:46:57","slug":"news-5493","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2018\/03\/13\/news-5493\/","title":{"rendered":"Poisoned peer-to-peer app kicked off Dofoil coin miner outbreak"},"content":{"rendered":"

Credit to Author: Windows Defender Research| Date: Tue, 13 Mar 2018 22:27:06 +0000<\/strong><\/p>\n

On March 7, we reported that a massive Dofoil campaign<\/a> attempted to install malicious cryptocurrency miners on hundreds of thousands of computers. Windows Defender Antivirus, with its behavior monitoring, machine learning technologies, and layered approach to security<\/a> detected and blocked the attack within milliseconds.Windows 10 S<\/a>, a special configuration of Windows 10 providing Microsoft-verified security, was not vulnerable to this attack.<\/p>\n

<\/p>\n

Immediately upon discovering the attack, we looked into the source of the huge volume of infection attempts. Traditionally, Dofoil<\/a> (also known as Smoke Loader) is distributed in multiple ways, including spam email and exploit kits. In the outbreak, which began in March 6, a pattern stood out: most of the malicious files were written by a process called mediaget.exe<\/em>.<\/p>\n

<\/p>\n

This process is related to MediaGet, a BitTorrent client that we classify as potentially unwanted application (PUA)<\/a>. MediaGet is often used by people looking to download programs or media from websites with dubious reputation. Downloading through peer-to-peer file-sharing apps like this can increase the risk of downloading malware.<\/p>\n

<\/p>\n

During the outbreak, however, Dofoil didnt seem to be coming from torrent downloads. We didnt see similar patterns in other file-sharing apps. The process mediaget.exe always wrote the Dofoil samples to the %TEMP% folder using the file name my.dat. The most common source of infection was the file %LOCALAPPDATA%MediaGet2mediaget.exe<\/em> (SHA-1: 3e0ccd9fa0a5c40c2abb40ed6730556e3d36af3c<\/em>).<\/p>\n

<\/p>\n

Tracing the infection timeline<\/h2>\n

<\/p>\n

Our continued investigation on the Dofoil outbreak revealed that the March 6 campaign was a carefully planned attack with initial groundwork dating back to mid-February. To set the stage for the outbreak, attackers performed an update poisoning campaign that installed a trojanized version of MediaGet on computers. The following timeline shows the major events related to the Dofoil outbreak.<\/p>\n

<\/p>\n

\"\"<\/p>\n

<\/p>\n

Figure 1.MediaGet-related malware outbreak timeline (all dates in UTC).<\/em><\/p>\n

<\/p>\n

MediaGet update poisoning<\/h2>\n

<\/p>\n

The update poisoning campaign that eventually led to the outbreak is described in the following diagram. A signed mediaget.exe<\/em> downloads an update.exe<\/em> program and runs it on the machine to install a new mediaget.exe<\/em>. The new mediaget.exe<\/em> program has the same functionality as the original but with additional backdoor capability.<\/p>\n

<\/p>\n

\"\"Figure 2. Update poisoning flow<\/em><\/p>\n

<\/p>\n

The malicious update process is recorded by Windows Defender ATP. The following alert process tree shows the original mediaget.exe dropping the poisoned signed update.exe.<\/p>\n

<\/p>\n

\"\"Figure 3. Windows Defender ATP detection of malicious update process<\/em><\/p>\n

<\/p>\n

Poisoned update.exe<\/h2>\n

<\/p>\n

The dropped update.exe<\/em> is a packaged InnoSetup SFX which has an embedded trojanized mediaget.exe<\/em>, update.exe. When run, it drops a trojanized unsigned version of mediaget.exe<\/em>.<\/p>\n

<\/p>\n

\"\"<\/p>\n

<\/p>\n

Figure 4.Certificate information of the poisoned update.exe<\/em><\/p>\n

<\/p>\n

Update.exe is signed by a third-party developer company completely unrelated with MediaGet and probably also victim of this plot; update.exe<\/em> was code signed with a different cert just to pass the signing requirement verification as seen in the original mediaget.exe<\/em>. The update code will check the certificate information to verify whether it is valid and signed. If it is signed, it will check that the hash value matches the value retrieved from the hash server located in mediaget.com infrastructure. The figure below shows a code snippet that checks for valid signatures on the downloaded update.exe.<\/p>\n

<\/p>\n

\"\"Figure 5. mediaget.exe update code<\/em><\/p>\n

<\/p>\n

Trojanized mediaget.exe<\/em><\/h2>\n

<\/p>\n

The trojanized mediaget.exe<\/em> file, detected by Windows Defender AV as Trojan:Win32\/Modimer.A, shows the same functionality as the original one, but it is not signed by any parties and has additional backdoor functionality. This malicious binary has 98% similarity to the original, clean MediaGet binary. The following PE information shows the different PDB information and its file path left in the executable.<\/p>\n

<\/p>\n

\"\"Figure 6. PDB path comparison of signed and trojanized executable<\/em><\/p>\n

<\/p>\n

When the malware starts, it builds a list of command-and-control (C&C) servers.<\/p>\n

<\/p>\n

\"\"<\/p>\n

<\/p>\n

Figure 7. C&C server list<\/em><\/p>\n

<\/p>\n

One notable detail about the embedded C&C list is that the TLD .bit is not an ICANN-sanctioned TLD and is supported via NameCoin infrastructure. NameCoin is a distributed name server system that adopts the concept of blockchain model and provides anonymous domains. Since .bit domains cant be resolved by ordinary DNS servers, the malware embeds a list of 71 IPv4 addresses that serve as NameCoin DNS servers.<\/p>\n

<\/p>\n

The malware then uses these NameCoin servers to perform DNS lookups of the .bit domains. From this point these names are in the machine’s DNS cache and future lookups will be resolved without needing to specify the NameCoin DNS servers.<\/p>\n

<\/p>\n

The first contact to the C&C server starts one hour after the program starts.<\/p>\n

<\/p>\n

\"\"<\/p>\n

<\/p>\n

Figure 8. C&C connection start timer<\/em><\/p>\n

<\/p>\n

The malware picks one of the four C&C servers at random and resolves the address using NameCoin if its a .bit domain. It uses HTTP for command-and-control communication.<\/p>\n

<\/p>\n

\"\"<\/p>\n

<\/p>\n

Figure 9. C&C server connection<\/em><\/p>\n

<\/p>\n

The backdoor code collects system information and sends them to the C&C server through POST request.<\/p>\n

<\/p>\n

\"\"<\/p>\n

<\/p>\n

Figure 10. System information<\/em><\/p>\n

<\/p>\n

The C&C server sends back various commands to the client. The following response shows the HASH<\/em>, IDLE<\/em>, and OK<\/em> commands. The IDLE command makes the process wait a certain time, indicated in seconds (for example, 7200 seconds = 2 hours), before contacting C&C server again.<\/p>\n

<\/p>\n

\"\"Figure 11. C&C commands<\/em><\/p>\n

<\/p>\n

One of the backdoor commands is a RUN<\/em> command that retrieves a URL from the C&C server command string. The malware then downloads a file from the URL, saves it as %TEMP%my.dat<\/em>, and runs it.<\/p>\n

<\/p>\n

\"\"Figure 12. RUN command processing code<\/em><\/p>\n

<\/p>\n

This RUN<\/em> command was used for the distribution of the Dofoil malware starting March 1 and the malware outbreak on March 6. Windows Defender ATP alert process tree shows the malicious mediaget.exe<\/em> communicating with goshan.online<\/em>, one of the identified C&C servers. It then drops and runs my.dat<\/em> (Dofoil), which eventually leads to the CoinMiner<\/em> component.<\/p>\n

<\/p>\n

\"\"Figure 13.Dofoil, CoinMiner download and execution flow<\/em><\/p>\n

<\/p>\n

\"\"Figure 14. Windows Defender ATP alert process tree<\/em><\/p>\n

<\/p>\n

The malware campaign used Dofoil to deliver CoinMiner, which attempted to use the victims computer resources to mine cryptocurrencies for the attackers. The Dofoil variant used in the attack showed advanced cross-process injection techniques, persistence mechanisms, and evasion methods. Windows Defender ATP can detect these behaviors across the infection chain.<\/p>\n

<\/p>\n

\"\"Figure 15. Windows Defender ATP detection for Dofoils process hollowing behavior<\/em><\/p>\n

<\/p>\n

We have shared details we uncovered in our investigation with MediaGets developers to aid in their analysis of the incident.<\/p>\n

<\/p>\n

We have shared details of the malicious use of code-signing certificate used in update.exe (thumbprint: 5022EFCA9E0A9022AB0CA6031A78F66528848568) with the certificate owner.<\/p>\n

<\/p>\n

Real-time defense against malware outbreaks<\/h2>\n

<\/p>\n

The Dofoil outbreak on March 6, which was built on prior groundwork, exemplifies the kind of multi-stage malware attacks that are fast-becoming commonplace. Commodity cybercrime threats are adopting sophisticated methods that are traditionally associated with more advanced cyberattacks. Windows Defender Advanced Threat Protection (Windows Defender ATP) provides the suite of next-gen defenses that protect customers against a wide range of attacks in real-time.<\/p>\n

<\/p>\n

Windows Defender AV enterprise customers who have enabled the potentially unwanted application (PUA) protection feature<\/a> were protected from the trojanized MediaGet software that was identified as the infection source of the March 6 outbreak.<\/p>\n

<\/p>\n

Windows Defender AV<\/a> protected customers from the Dofoil outbreak at the onset. Behavior-based detection technologies flagged Dofoils unusual persistence mechanism and immediately sent a signal to the cloud protection service<\/a>, where multiple machine learning models blocked most instances at first sight.<\/p>\n

<\/p>\n

In our in-depth analysis of the outbreak, we also demonstrated that the rich detection libraries in Windows Defender ATP<\/a> flagged Dofoils malicious behaviors throughout the entire infection process. These behaviors include code injection, evasion methods, and dropping a coin mining component. Security operations can use Windows Defender ATP to detect and respond to outbreaks. Windows Defender ATP also integrates protections from Windows Defender AV, Windows Defender Exploit Guard, and Windows Defender Application Guard, providing a seamless security management experience.<\/p>\n

<\/p>\n

For enhanced security against Dofoil and others similar coin miners, Microsoft recommends Windows 10 S<\/a>. Windows 10 S exclusively runs apps from the Microsoft Store, effectively blocking malware and applications from unverified sources. Windows 10 S users were not affected by this Dofoil campaign.<\/p>\n

<\/p>\n

Windows Defender Research<\/em><\/p>\n

<\/p>\n

Indicators of compromise (IOCs)<\/h2>\n

<\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n
File name<\/strong><\/td>\n

<\/p>\n

SHA-1<\/strong><\/td>\n

<\/p>\n

Description<\/strong><\/td>\n

<\/p>\n

Signer<\/strong><\/td>\n

<\/p>\n

Signing date<\/strong><\/td>\n

<\/p>\n

Detection name<\/strong><\/td>\n

<\/tr>\n

<\/p>\n

mediaget.exe<\/td>\n

<\/p>\n

1038d32974969a1cc7a79c3fc7b7a5ab8d14fd3e<\/span><\/td>\n

<\/p>\n

Offical mediaget.exe executable<\/td>\n

<\/p>\n

GLOBAL MICROTRADING PTE. LTD.<\/td>\n

<\/p>\n

2:04 PM 10\/27\/2017<\/td>\n

<\/p>\n

PUA:Win32\/MediaGet<\/a><\/td>\n

<\/tr>\n

<\/p>\n

mediaget.exe<\/td>\n

<\/p>\n

4f31a397a0f2d8ba25fdfd76e0dfc6a0b30dabd5<\/span><\/td>\n

<\/p>\n

Offical mediaget.exe executable<\/td>\n

<\/p>\n

GLOBAL MICROTRADING PTE. LTD.<\/td>\n

<\/p>\n

4:24 PM 10\/18\/2017<\/td>\n

<\/p>\n

PUA:Win32\/MediaGet<\/a><\/td>\n

<\/tr>\n

<\/p>\n

update.exe<\/td>\n

<\/p>\n

513a1624b47a4bca15f2f32457153482bedda640<\/span><\/td>\n

<\/p>\n

Trojanized updater executable<\/td>\n

<\/p>\n

DEVELTEC SERVICES SA DE CV<\/td>\n

<\/p>\n

N\/A<\/td>\n

<\/p>\n

Trojan:Win32\/Modimer.A<\/td>\n

<\/tr>\n

<\/p>\n

mediaget.exe<\/td>\n

<\/p>\n

3e0ccd9fa0a5c40c2abb40ed6730556e3d36af3c,
fda5e9b9ce28f62475054516d0a9f5a799629ba8<\/span><\/td>\n

<\/p>\n

Trojanized mediaget.exe executable<\/td>\n

<\/p>\n

Not signed<\/td>\n

<\/p>\n

N\/A<\/td>\n

<\/p>\n

Trojan:Win32\/Modimer.A<\/td>\n

<\/tr>\n

<\/p>\n

my.dat<\/td>\n

<\/p>\n

d84d6ec10694f76c56f6b7367ab56ea1f743d284<\/span><\/td>\n

<\/p>\n

Dropped malicious executable<\/td>\n

<\/p>\n

<\/td>\n

<\/p>\n

<\/td>\n

<\/p>\n

TrojanDownloader:Win32\/Dofoil.AB<\/a><\/td>\n

<\/tr>\n

<\/p>\n

wuauclt.exe<\/td>\n

<\/p>\n

88eba5d205d85c39ced484a3aa7241302fd815e3<\/span><\/td>\n

<\/p>\n

Dropped CoinMiner<\/td>\n

<\/p>\n

<\/td>\n

<\/p>\n

<\/td>\n

<\/p>\n

Trojan:Win32\/CoinMiner.D<\/a><\/td>\n

<\/tr>\n

<\/tbody>\n

<\/table>\n

<\/p>\n

\n

<\/p>\n

Talk to us<\/strong><\/h4>\n

<\/p>\n

Questions, concerns, or insights on this story? Join discussions at the Microsoft community<\/a> and Windows Defender Security Intelligence<\/a>.<\/p>\n

<\/p>\n

Follow us on Twitter @WDSecurity<\/a> and Facebook Windows Defender Security Intelligence<\/a>.<\/p>\n


https:\/\/blogs.technet.microsoft.com\/mmpc\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Windows Defender Research| Date: Tue, 13 Mar 2018 22:27:06 +0000<\/strong><\/p>\n

On March 7, we reported that a massive Dofoil campaign attempted to install malicious cryptocurrency miners on hundreds of thousands of computers. Windows Defender Antivirus, with its behavior monitoring, machine learning technologies, and layered approach to security detected and blocked the attack within milliseconds.Windows 10 S, a special configuration of Windows 10 providing Microsoft-verified security, <\/p>\n

Read more<\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10759,10378],"tags":[17768,17769,11572,16598,4500,17109,12038,17770,17771,16768,10761,17261,10865,17194],"class_list":["post-11723","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-security","tag-behavior-monitoring","tag-code-injection","tag-coinminer","tag-cryptocurrency-mining","tag-cybersecurity","tag-electroneum","tag-machine-learning","tag-mediaget","tag-namecoin","tag-smoke-loader","tag-windows-10","tag-windows-10-s","tag-windows-defender-atp","tag-windows-defender-av"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11723","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=11723"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11723\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=11723"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=11723"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=11723"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}