Malware Tricks 400K Windows PCs Into Mining Cryptocurrency

Over 400,000 Windows machines, mainly in Russia, faced a nasty surprise this calendar week: a strain of malware attempted to infect them with a cryptocurrency miner.

SecurityWatch The malicious program spread to a huge swath of machines earlier Microsoft's Windows Defender antivirus software intervened. Redmond is blaming a Trojan dubbed Dofoil.

The company offset noticed the infection attempts around apex Pacific Time through its malware monitoring systems. "Within the next 12 hours, more 400,000 instances were recorded, 73 percent of which were in Russia. Turkey accounted for 18 percent and Ukraine 4 percent of the global encounters," Microsoft said in a web log postal service on Midweek.

Dofoil outbreak

The Dofoil Trojan, likewise known as Smoke Loader, is nada new; information technology's been around since at least 2022. Even so, Tuesday's attack was designed to evangelize software that can secretly mine a diversity of cryptocurrencies over a reckoner. "The sample we analyzed mined Electroneum coins," Microsoft said.

How the Trojan spread to so many computers isn't totally clear. But in an e-mail, Microsoft said, "There are a number of means a organisation could be compromised. In this case we take seen some correlation with certain file sharing and internet download programs."

That suggests the Trojan may have been delivered through a torrent file, which often deliver homemade movies or pirated games. Microsoft stopped the Dofoil attack via its free antivirus software, but that could just exist the tip of the iceberg.

As security researcher Kevin Beaumont noted on Twitter, Microsoft is "but seeing Defender numbers"—not PCs with other antivirus protection or none at all—then "infections are probable way over half a million," he wrote.

The incident is the latest in a long line of cryptocurrency-related hacks, some of which can generate a fortune for the cybercriminals involved. On the plus side, coin miners tend to exercise nothing more than hog your PC's computing power, kicking the machine into loftier gear. But that doesn't mean the attacks are completely harmless. Dofoil, for instance, tin can also exist used to download malicious files to an infected computer.

"We made this a high priority because Dofoil/Smokeloader tin can drop a lot of payloads," said Microsoft security specialist Jessica Payne in a tweet. "What we did wasn't merely to disrupt a 'relatively harmless' mining entrada, simply to detect and interrupt a distribution vector that could just every bit easily have delivered ransomware to those targets."