Poisoned BitTorrent Client Hits 400,000 Windows PCs With Malware


Attackers used a counterfeit software update to launch the massive Windows malware campaign

An attack that tried to launch malware on more than 400,000 Windows PCs over a 12-hour period earlier this month spread via an infected program that had been secretly distributed days earlier, Microsoft has said.

The outbreak, which occurred on 6 March, placed a malware variant known as Dofoil or Smoke Loader. In turn, that program tried to download and launch malware called CoinMiner, which uses the target’s system resources to mine cryptocurrencies.

Dofoil is commonly spread via malicious emails and exploit kits, but those didn’t figure in this case, Microsoft said.

Instead, it found the attacks were launched by a malicious version of MediaGet, a popular Russian-developed program for exchanging BitTorrent files.

The infected software downloaded Dofoil, which in turn tried to launch CoinMiner. Credit: Microsoft

Poisoned update

MediaGet isn’t itself malicious, but Microsoft found MediaGet’s update servers had been compromised to send malicious code to users.

More specifically, valid copies of MediaGet downloaded a program called update.exe, which in turn downloaded and installed the malicious mediaget.exe file, replacing the legitimate version.

The malicious code was 98 percent similar to the valid version, and functioned in the same way, but had the additional ability to download code of the attacker’s choice via control servers.

The malicious mediaget.exe program wasn’t signed, but update.exe was signed by a third-party software company unrelated to MediaGet. Microsoft said the third party was probably another victim of the attackers.

Most of the infection attempts – 73 percent – occurred in Russia, with Turkey and the Ukraine accounting for 18 percent and 4 percent.

Sophisticated attacks

The incident shows how malware attacks are increasingly making use of advanced techniques, Microsoft said.

“The Dofoil outbreak… exemplifies the kind of multi-stage malware attacks that are fast-becoming commonplace,” the company said in an advisory. “Commodity cybercrime threats are adopting sophisticated methods that are traditionally associated with more advanced cyberattacks.”

While in this case Dofoil only tried to mine cryptocurrency, it could just as easily have installed more destructive code, said Jessica Payne, a researcher with Microsoft’s Windows Defender Security Research group.

“What we did wasn’t just to disrupt a ‘relatively harmless’ mining campaign, but to detect and interrupt a distribution vector that could just as easily have delivered ransomware to those targets,” she wrote on Twitter.

Do you know all about security? Try our quiz!