Categories: SecurityWorkspace

Poisoned BitTorrent Client Hits 400,000 Windows PCs With Malware

An attack that tried to launch malware on more than 400,000 Windows PCs over a 12-hour period earlier this month spread via an infected program that had been secretly distributed days earlier, Microsoft has said.

The outbreak, which occurred on 6 March, placed a malware variant known as Dofoil or Smoke Loader. In turn, that program tried to download and launch malware called CoinMiner, which uses the target’s system resources to mine cryptocurrencies.

Dofoil is commonly spread via malicious emails and exploit kits, but those didn’t figure in this case, Microsoft said.

Instead, it found the attacks were launched by a malicious version of MediaGet, a popular Russian-developed program for exchanging BitTorrent files.

The infected software downloaded Dofoil, which in turn tried to launch CoinMiner. Credit: Microsoft

Poisoned update

MediaGet isn’t itself malicious, but Microsoft found MediaGet’s update servers had been compromised to send malicious code to users.

More specifically, valid copies of MediaGet downloaded a program called update.exe, which in turn downloaded and installed the malicious mediaget.exe file, replacing the legitimate version.

The malicious code was 98 percent similar to the valid version, and functioned in the same way, but had the additional ability to download code of the attacker’s choice via control servers.

The malicious mediaget.exe program wasn’t signed, but update.exe was signed by a third-party software company unrelated to MediaGet. Microsoft said the third party was probably another victim of the attackers.

Most of the infection attempts – 73 percent – occurred in Russia, with Turkey and the Ukraine accounting for 18 percent and 4 percent.

Sophisticated attacks

The incident shows how malware attacks are increasingly making use of advanced techniques, Microsoft said.

“The Dofoil outbreak… exemplifies the kind of multi-stage malware attacks that are fast-becoming commonplace,” the company said in an advisory. “Commodity cybercrime threats are adopting sophisticated methods that are traditionally associated with more advanced cyberattacks.”

While in this case Dofoil only tried to mine cryptocurrency, it could just as easily have installed more destructive code, said Jessica Payne, a researcher with Microsoft’s Windows Defender Security Research group.

“What we did wasn’t just to disrupt a ‘relatively harmless’ mining campaign, but to detect and interrupt a distribution vector that could just as easily have delivered ransomware to those targets,” she wrote on Twitter.

Do you know all about security? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

X Updates Grok AI Chatbot Over Election Misinformation

X makes changes to xAI's Grok AI chatbot after five US secretaries of state take…

30 mins ago

China Says New Dutch Chip Export Rules Result Of ‘Coercion’

China says new Dutch export controls on chipmaking equpment result of US 'coercion' design to…

1 hour ago

iPhone 16 Gets Generative AI, Siri Upgrade

Apple launches iPhone 16 range with generative AI features, plus camera-based 'visual intelligence', new AirPods,…

2 hours ago

Google Goes On Trial In US Over Ad Tech Dominance

US trial of Google over ad tech market power begins, with forced divestiture of ad…

15 hours ago

US DOJ To Propose Google Penalties By End Of Year

US judge gives Justice Department until end of year to formulate plan for Google punishment…

22 hours ago

Trump ‘To Appoint Musk’ To Gov’t Efficiency Role If Elected

Donald Trump says he would appoint Elon Musk to lead government efficiency commission if elected,…

23 hours ago