BitTorrent client MediaGet was used in a massive 'Dofoil' campaign that installs malicious cryptocurrency miners on hundreds of thousands of computers.

The inetrest in cryptocurrencies and has led to an explosion of cryptocurrency miners (also called cryptominers or coin miners) in various forms. Mining is the process of running complex mathematical calculations necessary to maintain the blockchain ledger. This process rewards coins but requires significant computing resources.

Coin miners are not inherently malicious. Some individuals and organizations invest in hardware and electric power for legitimate coin mining operations. However, others are looking for alternative sources of computing power; as a result, some coin miners find their way into corporate networks. While not malicious, these coin miners are not wanted in enterprise environments because they eat up precious computing resources.

On March 7, Microsoft reported that a massive Dofoil campaign attempted to install malicious cryptocurrency miners on hundreds of thousands of computers.

Traditionally, Dofoil (also known as Smoke Loader) is distributed in multiple ways, including spam email and exploit kits. But in a outbreak, which began in March 6, a pattern stood out: most of the malicious files were written by a process called mediaget.exe.

This process is related to BitTorrent client MediaGet.

Microsoft says that during the outbreak, Dofoil didn't seem to be coming from torrent downloads. According to the company, the attackers performed an update poisoning campaign that installed a trojanized version of MediaGet on computers. A signed mediaget.exe downloads an update.exe program and runs it on the machine to install a new mediaget.exe. The new mediaget.exe program has the same functionality as the original but with additional backdoor capability.

Microsoft says that the Update.exe is signed by a third-party software company that is unrelated to MediaGet and is probably a victim of this plot. The executable was code signed with a different cert just to pass the signing requirement verification as seen in the original mediaget.exe.

"The malware campaign used Dofoil to deliver CoinMiner, which attempted to use the victims' computer resources to mine cryptocurrencies for the attackers," Microsoft said. "The Dofoil variant used in the attack showed advanced cross-process injection techniques, persistence mechanisms, and evasion methods. Windows Defender ATP can detect these behaviors across the infection chain."

The trojanized mediaget.exe file is detected by Windows Defender AV as Trojan:Win32/Modimer.A.

For enhanced security against Dofoil and others similar coin miners, Microsoft recommends Windows 10 S, which exclusively runs apps from the Microsoft Store, effectively blocking malware and applications from unverified sources.