In a blog post published on Wednesday, Microsoft said their Windows Defender antivirus software helped in the prevention of a massive cryptocurrency malware attack from spreading across the globe.
Just before the noon of March 6, it did so by blocking around 80,000 instances of “several sophisticated trojans that exhibited advanced cross-process infection techniques, persistence mechanisms, and evasion methods.”
The Trojans were new variants of Dofoil (aka Smoke Loader) and carried a coin miner payload. Within the next 12-hour period, more than 400,000 instances were recorded by their systems. The attack mostly targeted computers in Russia (73%), Turkey (18%), and Ukraine (4%).
Microsoft said the advanced machine learning models that power their cloud protection service triggered the blocking of malware within milliseconds after it was detected by Windows Defender.
“People affected by these infection attempts early in the campaign would have seen blocks under machine learning names like Fuery, Fuerboos, Cloxer, or Azden. Later blocks show as the proper family names, Dofoil or Coinminer.”
With the rise in the value and popularity of cryptocurrencies like Bitcoin, the attackers are motivated than ever to integrate coin miners in their attacks. In fact, crypto miners have posed themselves as an alternative to ransomware.
In total, the malware campaign targeted close to 500,000 computers in different regions. Various Microsoft operating systems including Windows 7, Windows 8.1, and Windows 10 running Windows Defender or Microsoft Security Essentials are now safe from the threat.