Microsoft Thwarts Massive Electroneum Mining Malware Campaign

Microsoft halted an Electroneum mining campaign

Microsoft’s Windows Defender reportedly managed to prevent a massive Electroneum (ETN) mining campaign from spreading, according to the IT giant. Per the company’s Windows Defender team, the campaign attempted to infect a whopping 400,000 computers during a 12-hour period.

The Redmond-based company revealed that the campaign tried to infect its victims with a variant of Dofoil – known as Smoke Leader -a trojan that downloads malware onto victims’ machines.

Microsoft’s post reads:

“Within the next 12 hours, more than 400,000 instances were recorded, 73% of which were in Russia. Turkey accounted for 18% and Ukraine 4% of the global encounters.”

The company claims it managed to immediately discover the attack thanks to its behavior-based, cloud-powered machine learning models. These, per Microsoft, almost immediately picked up the malware, classified it as a threat, and within minutes started blocking it.

The cryptocurrency miner the attack attempted to get on victim’s computers reportedly supports NiceHash, meaning it could mine different cryptocurrencies. In this case, the mining malware mined Electroneum.

How the Electroneum mining attack worked

Reports suggest the Dofoil variant attempted to inject malicious code into a legitimate OS process dubbed explorer.exe. One the malicious code was injected, the malware downloader would proceed to download the cryptocurrency miner, named “coinminer.”

Coinminer itself was masquerading as a Windows binary to avoid raising suspicions. Microsoft’s Windows Defender picked up on it because although it looked legitimate, it was running from the wrong disk location.

Moreover, the miner was generating suspicious traffic, as it was attempting to contact its command and control (C&C) server. The C&C server was located on the decentralized Namecoin network infrastructure, which is known for having other malware families stored in its .bit domains.

Windows 10, Windows 8.1, and Windows 7 users running Windows Defender are protected against these types of attacks, Microsoft’s post reads. As recently reported, a researcher found nearly 50,000 websites running cryptocurrency mining malware. Users who wish to protect against these will have to use specific software, or browsers like Opera and Brave.

This attack is presumably related to the ongoing cryptojacking trend has seen criminals normally attempt to mine Monero (XMR). The trend has made various high-profile victims, including Tesla, which saw its cloud get hacked and used to mine.

As previously covered by Ethereum World News, hackers are even stuffing Monero ransom notes inside distributed denial of service (DDoS) attacks to get their victims to pay them to stop.