On the 7th of March cloudblogs.microsoft.com reported that Windows Defender Antivirus (that comes with newer windows OSs) managed to successfully block 400,000 instances of a Dofoil (aka Smoke Loader) variant. This trojan type is able to download further applications to the user’s PC and can also carry a coin miner, which can be used to mine cryptocurrencies on the machines.

The targets were mostly Russian users (73%), but it also affected Turkey (18%) and Ukraine (4%). You can find the complete geographic chart here.

User’s running Windows Defender AV on Windows 10, Windows 8.1 and Windows 7 were all protected from the malware. The windows software used an Artificial Intelligence and behavior-based detection methods to notice, observe and to block the attempt (description taken from cloudblogs.microsoft.com):

Within milliseconds, multiple metadata-based machine learning models in the cloud started blocking these threats at first sight. Seconds later, the sample-based and detonation-based machine learning models also verified the malicious classification. Within minutes, detonation-based models chimed in and added additional confirmation. Within minutes, an anomaly detection alert notified us about a new potential outbreak. After analysis, the response team updated the classification name of this new surge of threats to the proper malware families. People affected by these infection attempts early in the campaign would have seen blocks under machine learning names like Fuery, Fuerboos, Cloxer, or Azden. Later blocks show as the proper family names, Dofoil or Coinminer.

After infecting a system the trojan (CoinMiner) performs a process hollowing on explorer.exe, this is a form of code injection technique that mimics and spawns a new explorer.exe to replace the legit one. The new process starts running the actual trojan in form of a disguised system process and also alters the registry key while making an additional copy of the malware.

These trojans are mostly used to mine CryptoNote based currencies such as Monero as the algorithm used there is CPU friendly and can be easily mined on most infected home desktops.