Backdoored Agent Engendering Dofoil Infection


Backdoored Agent Engendering Dofoil Infection

As Windows Defender AV sensed the destructive presence of Dofoil, Microsoft published a report on March 7 to discuss major concerns. Dofoil’s main target was mostly Russians and some citizens in Turkey and Ukraine, infecting around 400,000 users within 12 hours. 73% of the infected people were Russian, 18% from Turkey, and 4% from Ukraine. Following the first report, Microsoft published another report mentioning that Dofoil is a backdoored Russian-based BitTorrent client and it is called MediaGet.

Massive Dofoil Outbreak Caused by Backdoored Torrent Client

First draft report specs

In the first published report, Microsoft researchers demonstrated the Windows Defender AV’s defense against the attack via behavior monitoring, which is an adaptive method. Using machine learning in this incident conveys the similarity of the Emotet attack that took place last month. The researchers mentioned the following steps in the report to highlight the process:

  1. “Within milliseconds, multiple metadata-based machine learning models in the cloud started blocking these threats at first sight.
    2. Seconds later, our sample-based and detonation-based machine learning models also verified the malicious classification. Within minutes, detonation-based models chimed in and added additional confirmation.
    3. Within minutes, an anomaly detection alert notified us about a new potential outbreak.
    4. After analysis, our response team updated the classification name of this new surge of threats to the proper malware families. People affected by these infection attempts early in the campaign would have seen blocks under machine learning names like Fuery, Fuerboos, Closer, or Azden. Later blocks show the proper family names, Dofoil or Coalminer.”

Although Dofoil is a Trojan, what made it very special is that Dofoil is combined with a coin miner, which is used to inject a code that spawns a new legitimate process as a sacrificial process to implement the malware. Accordingly, the recent explorer.exe transforms another instant to further add the malware by progressing a coin mining system like wuacult.exe.

The procedure and the planning of the attack in the second report

The first report mainly mentioned how the defending system was able to tackle the Dofoil variant. However, the method of attacking and the details regarding the attack did not mention, so the researchers elaborated on the attack in the second report. The researchers mentioned that the user’s PCs were infected by a file named my.dat that is created by mediaget.exe. They also mentioned that it took them around three weeks to land the attack after careful planning. It was found out later that some hackers stealthily got into MediaNet’s system and were able to substitute the MediaGet installed with a backdoor installer to perform their evil purposes.

Efficiency of Supply Chain Attacks

Microsoft was able to tackle this attack, but it is still considered a threat as farther attacks could lead to more damage. Such technique of attacks is trending nowadays since it gives the hackers more tools at their management. Users will never stop updating and downloading software packages from unreliable sources, which will keep this threat alive.

Related Article: The current state of The Facebook and Cambridge Analytica Saga