A recent malware campaign that attempted to install a resource-draining currency miner on more than 400,000 computers in 12 hours was caused by a malicious backdoor that was sneaked into a BitTorrent application called Mediaget, a Microsoft researcher said Tuesday.
The failed campaign is the latest example of what researchers call a supply-chain attack, which aims to infect large numbers of people by compromising a popular piece of hardware or software. Other examples of recent supply-chain attacks include a backdoored update of the CCleaner disk-maintenence program delivered to 2.27 million people, a tainted version of the Transmission BitTorrent client that installed ransomware on Macs, and a collection of malicious Android apps that came preinstalled on phones from two different manufacturers.
One of the more significant supply-chain attacks to come to light was the tampering of the update process for M.E.Doc, a tax-accounting application that’s widely used in Ukraine. The compromised update seeded the NotPetya wiper worm, which shut down computers all over the world last July.
Last week, Microsoft researchers reported that the company’s Windows Defender antivirus blocked more than 400,000 instances by several advanced trojans to infect computers primarily located in Russia, Turkey, and Ukraine. The trojans were new variants of the Dofoil malware, which also goes by the name Smoke Loader. (Smoke Loader, by the way, is the name of malware that AV provider Kaspersky Lab said infected a poorly secured computer in Maryland when it sent highly sensitive National Security Agency secrets to the Kaspersky Moscow headquarters.) The Dofoil trojans Microsoft analyzed caused infected computers to install a program called CoinMiner, which tried to use infected computer resources to mine cryptocurrencies for the attackers.
Dofoil is most often spread through spam e-mail and exploit kits. On Tuesday, Microsoft researchers said the massive barrage of trojans came from a different source: a poisoned update from Mediaget. The update poisoning happened some time between February 12 and February 19. The attackers waited until March 1 to begin distributing the malware, and it wasn’t until March 6 that Microsoft began to detect it.
To avoid detection, the malware used a valid digital certificate that Microsoft suspects was stolen from an unnamed company. It’s not clear how the attackers managed to obtain the digital certificate. One possibility is from a thriving underground economy that sells counterfeit malware signing credentials that are unique to each buyer. Microsoft also didn’t explain how the Mediaget update system was compromised. Microsoft notified both Mediaget and the unnamed company.
Wednesday’s report is the latest sign of continuing sophistication of malware attacks. A decade ago, multistage malware that relied on counterfeit certificates and compromised supply chains were the stuff of nation-sponsored attack groups. Now, common criminals are relying on the techniques to mine digital coins.