{"id":80813,"date":"2018-03-13T15:27:06","date_gmt":"2018-03-13T22:27:06","guid":{"rendered":"https:\/\/cloudblogs.microsoft.com\/microsoftsecure\/?p=80813"},"modified":"2023-05-16T13:53:32","modified_gmt":"2023-05-16T20:53:32","slug":"poisoned-peer-to-peer-app-kicked-off-dofoil-coin-miner-outbreak","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/03\/13\/poisoned-peer-to-peer-app-kicked-off-dofoil-coin-miner-outbreak\/","title":{"rendered":"Poisoned peer-to-peer app kicked off Dofoil coin miner outbreak"},"content":{"rendered":"<p>On March 7, we reported that a <a href=\"https:\/\/cloudblogs.microsoft.com\/microsoftsecure\/2018\/03\/07\/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign\/\">massive Dofoil campaign<\/a> attempted to install malicious <a target=\"_blank\" href=\"https:\/\/cloudblogs.microsoft.com\/microsoftsecure\/2018\/03\/13\/invisible-resource-thieves-the-increasing-threat-of-cryptocurrency-miners\/\" rel=\"noopener\">cryptocurrency miners<\/a> on hundreds of thousands of computers. Windows Defender Antivirus, with its behavior monitoring, machine learning technologies, and <a href=\"https:\/\/cloudblogs.microsoft.com\/microsoftsecure\/2017\/12\/11\/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses\/\">layered approach to security<\/a> detected and blocked the attack within milliseconds.&nbsp;<a href=\"https:\/\/www.microsoft.com\/en-us\/windows\/windows-10-s?ocid=cx-blog-mmpc\">Windows 10 S<\/a>, a special configuration of Windows 10 providing Microsoft-verified security, was not vulnerable to this attack.<\/p>\n<p>A new capability in Windows Defender AV, Emergency Dynamic Intelligence Update (EDIU), helped push protections from the cloud directly to endpoints within 15 minutes after the outbreak was identified. This feature, currently in preview, is designed specifically for these kinds of outbreaks and delivers protections in near real time. In addition, client endpoints automatically downloaded definition packages (VDM) from Windows SUS servers and Microsoft Update servers.*<\/p>\n<p>Immediately upon discovering the attack, we looked into the source of the huge volume of infection attempts. Traditionally, <a href=\"https:\/\/www.microsoft.com\/en-us\/wdsi\/threats\/malware-encyclopedia-description?Name=TrojanDownloader:Win32\/Dofoil.AB\">Dofoil<\/a> (also known as Smoke Loader) is distributed in multiple ways, including spam email and exploit kits. In the outbreak, which began in March 6, a pattern stood out: most of the malicious files were written by a process called <em>mediaget.exe<\/em>.<\/p>\n<p>This process is related to MediaGet, a BitTorrent client that we classify as <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/windows-defender-antivirus\/detect-block-potentially-unwanted-apps-windows-defender-antivirus\">potentially unwanted application (PUA)<\/a>. MediaGet is often used by people looking to download programs or media from websites with dubious reputation. Downloading through peer-to-peer file-sharing apps like this can increase the risk of downloading malware.<\/p>\n<p>During the outbreak, however, Dofoil didn\u2019t seem to be coming from torrent downloads. We didn\u2019t see similar patterns in other file-sharing apps. The process mediaget.exe always wrote the Dofoil samples to the %TEMP% folder using the file name my.dat. The most common source of infection was the file <em>%LOCALAPPDATA%\\MediaGet2\\mediaget.exe<\/em> (SHA-1<em>: 3e0ccd9fa0a5c40c2abb40ed6730556e3d36af3c<\/em>).<\/p>\n<p><strong>Recommended reading: <\/strong>For campaign statistics, payload details, and the Windows Defender response, read:<\/p>\n<ul>\n<li><strong><a href=\"https:\/\/cloudblogs.microsoft.com\/microsoftsecure\/2018\/03\/07\/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign\/\">Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign<\/a><\/strong><\/li>\n<li><a href=\"https:\/\/cloudblogs.microsoft.com\/microsoftsecure\/2018\/04\/04\/hunting-down-dofoil-with-windows-defender-atp\/\"><strong>Hunting down Dofoil with Windows Defender ATP<\/strong><\/a><\/li>\n<\/ul>\n<h2>Tracing the infection timeline<\/h2>\n<p>Our continued investigation on the Dofoil outbreak revealed that the March 6 campaign was a carefully planned attack with initial groundwork dating back to mid-February. To set the stage for the outbreak, attackers performed an update poisoning campaign that installed a trojanized version of MediaGet on computers. The following timeline shows the major events related to the Dofoil outbreak.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-80822\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig1-timeline.png\" alt=\"\" width=\"800\" height=\"265\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig1-timeline.png 969w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig1-timeline-300x99.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig1-timeline-768x254.png 768w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><\/p>\n<p><em>Figure 1.&nbsp;MediaGet-related malware outbreak timeline (all dates in UTC).<\/em><\/p>\n<h2>MediaGet update poisoning<\/h2>\n<p>The update poisoning campaign that eventually led to the outbreak is described in the following diagram. A signed <em>mediaget.exe<\/em> downloads an <em>update.exe<\/em> program and runs it on the machine to install a new <em>mediaget.exe<\/em>. The new <em>mediaget.exe<\/em> program has the same functionality as the original but with additional backdoor capability.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-80828\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig2-update-poisoning-flow.png\" alt=\"\" width=\"350\" height=\"644\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig2-update-poisoning-flow.png 529w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig2-update-poisoning-flow-163x300.png 163w\" sizes=\"(max-width: 350px) 100vw, 350px\" \/><em>Figure 2. Update poisoning flow<\/em><\/p>\n<p>The malicious update process is recorded by Windows Defender Advanced Threat Protection (<a target=\"_blank\" href=\"https:\/\/www.microsoft.com\/en-us\/windowsforbusiness\/windows-atp?ocid=cx-blog-mmpc\" rel=\"noopener\">Windows Defender ATP<\/a>). The following alert process tree shows the original mediaget.exe dropping the poisoned signed update.exe.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-80831 aligncenter\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig3-update-poisoning-flow-edr-1024x469.png\" alt=\"\" width=\"1024\" height=\"469\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig3-update-poisoning-flow-edr-1024x469.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig3-update-poisoning-flow-edr-300x137.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig3-update-poisoning-flow-edr-768x351.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig3-update-poisoning-flow-edr.png 1073w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><em>Figure 3. Windows Defender ATP detection of malicious update process<\/em><\/p>\n<h2>Poisoned update.exe<\/h2>\n<p>The dropped <em>update.exe<\/em> is a packaged InnoSetup SFX which has an embedded trojanized <em>mediaget.exe<\/em>, update.exe. When run, it drops a trojanized unsigned version of <em>mediaget.exe<\/em>.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-80897 aligncenter\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig4-cert.png\" alt=\"\" width=\"808\" height=\"518\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig4-cert.png 808w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig4-cert-300x192.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig4-cert-768x492.png 768w\" sizes=\"(max-width: 808px) 100vw, 808px\" \/><\/p>\n<p><em>Figure 4.&nbsp;Certificate information of the poisoned update.exe<\/em><\/p>\n<p><em>Update.exe<\/em> is signed by a third-party software company that is unrelated to MediaGet and is probably a victim of this plot. The executable was code signed with a different cert just to pass the signing requirement verification as seen in the original <em>mediaget.exe<\/em>. The update code will check the certificate information to verify whether it is valid and signed. If it is signed, it will check that the hash value matches the value retrieved from the hash server located in mediaget.com infrastructure. The figure below shows a code snippet that checks for valid signatures on the downloaded update.exe.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-80846 aligncenter\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig-5-update.png\" alt=\"\" width=\"513\" height=\"259\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig-5-update.png 513w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig-5-update-300x151.png 300w\" sizes=\"(max-width: 513px) 100vw, 513px\" \/><em>Figure 5. mediaget.exe update code<\/em><\/p>\n<h2>Trojanized <em>mediaget.exe<\/em><\/h2>\n<p>The trojanized <em>mediaget.exe<\/em> file, detected by Windows Defender AV as Trojan:Win32\/Modimer.A, shows the same functionality as the original one, but it is not signed by any parties and has additional backdoor functionality. This malicious binary has 98% similarity to the original, clean MediaGet binary. The following PE information shows the different PDB information and its file path left in the executable.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-80849 aligncenter\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig6-PDB-comparison.png\" alt=\"\" width=\"621\" height=\"159\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig6-PDB-comparison.png 621w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig6-PDB-comparison-300x77.png 300w\" sizes=\"(max-width: 621px) 100vw, 621px\" \/><em>Figure 6. PDB path comparison of signed and trojanized executable<\/em><\/p>\n<p>When the malware starts, it builds a list of command-and-control (C&amp;C) servers.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-80855 aligncenter\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig7-cnc-server-list.png\" alt=\"\" width=\"435\" height=\"181\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig7-cnc-server-list.png 435w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig7-cnc-server-list-300x125.png 300w\" sizes=\"(max-width: 435px) 100vw, 435px\" \/><\/p>\n<p><em>Figure 7. C&amp;C server list<\/em><\/p>\n<p>One notable detail about the embedded C&amp;C list is that the TLD .bit is not an ICANN-sanctioned TLD and is supported via NameCoin infrastructure. NameCoin is a distributed name server system that adopts the concept of blockchain model and provides anonymous domains. Since .bit domains can\u2019t be resolved by ordinary DNS servers, the malware embeds a list of 71 IPv4 addresses that serve as NameCoin DNS servers.<\/p>\n<p>The malware then uses these NameCoin servers to perform DNS lookups of the .bit domains. From this point these names are in the machine&#8217;s DNS cache and future lookups will be resolved without needing to specify the NameCoin DNS servers.<\/p>\n<p>The first contact to the C&amp;C server starts one hour after the program starts.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-80858 aligncenter\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig8-cnc-start-timer.png\" alt=\"\" width=\"443\" height=\"48\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig8-cnc-start-timer.png 443w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig8-cnc-start-timer-300x33.png 300w\" sizes=\"(max-width: 443px) 100vw, 443px\" \/><\/p>\n<p><em>Figure 8. C&amp;C connection start timer<\/em><\/p>\n<p>The malware picks one of the four C&amp;C servers at random and resolves the address using NameCoin if it\u2019s a .bit domain. It uses HTTP for command-and-control communication.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-80861\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig9-cnc-server-connection.png\" alt=\"\" width=\"936\" height=\"56\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig9-cnc-server-connection.png 936w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig9-cnc-server-connection-300x18.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig9-cnc-server-connection-768x46.png 768w\" sizes=\"(max-width: 936px) 100vw, 936px\" \/><\/p>\n<p><em>Figure 9. C&amp;C server connection<\/em><\/p>\n<p>The backdoor code collects system information and sends them to the C&amp;C server through POST request.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-80867 aligncenter\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig10-system-information-1024x206.png\" alt=\"\" width=\"1024\" height=\"206\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig10-system-information-1024x206.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig10-system-information-300x60.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig10-system-information-768x154.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig10-system-information.png 1355w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p><em>Figure 10. System information<\/em><\/p>\n<p>The C&amp;C server sends back various commands to the client. The following response shows the <em>HASH<\/em>, <em>IDLE<\/em>, and <em>OK<\/em> commands. The IDLE command makes the process wait a certain time, indicated in seconds (for example, 7200 seconds = 2 hours), before contacting C&amp;C server again.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-80870 aligncenter\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig11-cnc-commands.png\" alt=\"\" width=\"772\" height=\"378\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig11-cnc-commands.png 772w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig11-cnc-commands-300x147.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig11-cnc-commands-768x376.png 768w\" sizes=\"(max-width: 772px) 100vw, 772px\" \/><em>Figure 11. C&amp;C commands<\/em><\/p>\n<p>One of the backdoor commands is a <em>RUN<\/em> command that retrieves a URL from the C&amp;C server command string. The malware then downloads a file from the URL, saves it as <em>%TEMP%\\my.dat<\/em>, and runs it.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-80873 aligncenter\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig12-RUN-command.png\" alt=\"\" width=\"737\" height=\"526\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig12-RUN-command.png 737w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig12-RUN-command-300x214.png 300w\" sizes=\"(max-width: 737px) 100vw, 737px\" \/><em>Figure 12. RUN command processing code<\/em><\/p>\n<p>This <em>RUN<\/em> command was used for the distribution of the Dofoil malware starting March 1 and the malware outbreak on March 6. Windows Defender ATP alert process tree shows the malicious <em>mediaget.exe<\/em> communicating with <em>goshan.online<\/em>, one of the identified C&amp;C servers. It then drops and runs <em>my.dat<\/em> (Dofoil), which eventually leads to the <em>CoinMiner<\/em> component.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-80876\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig13-coinminer-download-execution.png\" alt=\"\" width=\"750\" height=\"713\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig13-coinminer-download-execution.png 909w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig13-coinminer-download-execution-300x285.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig13-coinminer-download-execution-768x730.png 768w\" sizes=\"(max-width: 750px) 100vw, 750px\" \/><em>Figure 13.&nbsp;Dofoil, CoinMiner download and execution flow<\/em><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-80891\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig14-process-tree-1024x714.png\" alt=\"\" width=\"750\" height=\"523\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig14-process-tree-1024x714.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig14-process-tree-300x209.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig14-process-tree-768x536.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig14-process-tree.png 1041w\" sizes=\"(max-width: 750px) 100vw, 750px\" \/><em>Figure 14. Windows Defender ATP alert process tree<\/em><\/p>\n<p>The malware campaign used Dofoil to deliver CoinMiner, which attempted to use the victims\u2019 computer resources to mine cryptocurrencies for the attackers. The Dofoil variant used in the attack showed advanced cross-process injection techniques, persistence mechanisms, and evasion methods. Windows Defender ATP can detect these behaviors across the infection chain.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-80882\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig15-edr-process-hollowing.png\" alt=\"\" width=\"750\" height=\"259\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig15-edr-process-hollowing.png 896w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig15-edr-process-hollowing-300x103.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig15-edr-process-hollowing-768x265.png 768w\" sizes=\"(max-width: 750px) 100vw, 750px\" \/><em>Figure 15. Windows Defender ATP detection for Dofoil\u2019s process hollowing behavior<\/em><\/p>\n<p>We have shared details we uncovered in our investigation with MediaGet\u2019s developers to aid in their analysis of the incident.<\/p>\n<p>We have shared details of the malicious use of code-signing certificate used in update.exe (thumbprint: 5022EFCA9E0A9022AB0CA6031A78F66528848568) with the certificate owner.<\/p>\n<h2>Real-time defense against malware outbreaks<\/h2>\n<p>The Dofoil outbreak on March 6, which was built on prior groundwork, exemplifies the kind of multi-stage malware attacks that are fast-becoming commonplace. Commodity cybercrime threats are adopting sophisticated methods that are traditionally associated with more advanced cyberattacks. Windows Defender Advanced Threat Protection (Windows Defender ATP) provides the suite of next-gen defenses that protect customers against a wide range of attacks in real-time.<\/p>\n<p>Windows Defender AV enterprise customers who have enabled the <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/windows-defender-antivirus\/detect-block-potentially-unwanted-apps-windows-defender-antivirus\">potentially unwanted application (PUA) protection feature<\/a> were protected from the trojanized MediaGet software that was identified as the infection source of the March 6 outbreak.<\/p>\n<p><a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/windows-defender-antivirus\/windows-defender-antivirus-in-windows-10?ocid=cx-blog-mmpc\">Windows Defender AV<\/a> protected customers from the Dofoil outbreak at the onset. Behavior-based detection technologies flagged Dofoil\u2019s unusual persistence mechanism and immediately sent a signal to the <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/windows-defender-antivirus\/utilize-microsoft-cloud-protection-windows-defender-antivirus\">cloud protection service<\/a>, where multiple machine learning models blocked most instances at first sight.<\/p>\n<p>In our in-depth analysis of the outbreak, we also demonstrated that the rich detection libraries in <a href=\"https:\/\/www.microsoft.com\/en-us\/WindowsForBusiness\/windows-atp?ocid=cx-blog-mmpc\">Windows Defender ATP<\/a> flagged Dofoil\u2019s malicious behaviors throughout the entire infection process. These behaviors include code injection, evasion methods, and dropping a coin mining component. Security operations can use Windows Defender ATP to detect and respond to outbreaks. Windows Defender ATP also integrates protections from Windows Defender AV, Windows Defender Exploit Guard, and Windows Defender Application Guard, providing a seamless security management experience.<\/p>\n<p>For enhanced security against Dofoil and others similar coin miners, Microsoft recommends <a href=\"https:\/\/www.microsoft.com\/en-us\/windows\/windows-10-s?ocid=cx-blog-mmpc\">Windows 10 S<\/a>. Windows 10 S exclusively runs apps from the Microsoft Store, effectively blocking malware and applications from unverified sources. Windows 10 S users were not affected by this Dofoil campaign.<\/p>\n<p>To test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced attacks, <strong><a target=\"_blank\" href=\"https:\/\/www.microsoft.com\/en-us\/windowsforbusiness\/windows-atp?ocid=cx-blog-mmpc\" rel=\"noopener\">sign up for a free trial<\/a><\/strong>.<\/p>\n<p>&nbsp;<\/p>\n<p><strong><em>Windows Defender Research team<\/em><\/strong><\/p>\n<h4><\/h4>\n<p>&nbsp;<\/p>\n<p>*Updated 4\/30\/2018 &#8211;&nbsp;Emergency Dynamic Intelligence Update (EDIU) and other new features in Windows Defender AV and the rest of the Windows Defender ATP defense stack are now available with&nbsp;Windows 10 version 1803, also known as the Windows 10 April 2018 Update. Read more:&nbsp;<a href=\"https:\/\/blogs.windows.com\/windowsexperience\/2018\/04\/30\/whats-new-in-the-windows-10-april-2018-update\/\">What\u2019s new in the Windows 10 April 2018 Update<\/a>.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<h4><strong>Indicators of compromise (IOCs)<\/strong><\/h4>\n<table style=\"font-size: small\">\n<tbody>\n<tr bgcolor=\"#dddddd\">\n<th style=\"padding: 8px\"><strong>File name<\/strong><\/th>\n<th style=\"padding: 8px\"><strong>SHA-1<\/strong><\/th>\n<th style=\"padding: 8px\"><strong>Description<\/strong><\/th>\n<th style=\"padding: 8px\"><strong>Signer<\/strong><\/th>\n<th style=\"padding: 8px\"><strong>Signing date<\/strong><\/th>\n<th style=\"padding: 8px\"><strong>Detection name<\/strong><\/th>\n<\/tr>\n<tr>\n<td style=\"padding: 8px;vertical-align: top\">mediaget.exe<\/td>\n<td style=\"padding: 8px;vertical-align: top\">1038d32974969a1cc7a79c3fc7b7a5ab8d14fd3e<\/td>\n<td style=\"padding: 8px;vertical-align: top\">Offical mediaget.exe executable<\/td>\n<td style=\"padding: 8px;vertical-align: top\">GLOBAL MICROTRADING PTE. LTD.<\/td>\n<td style=\"padding: 8px;vertical-align: top\">2:04 PM 10\/27\/2017<\/td>\n<td style=\"padding: 8px;vertical-align: top\"><a href=\"https:\/\/www.microsoft.com\/en-us\/wdsi\/threats\/malware-encyclopedia-description?Name=PUA%3aWin32%2fMediaGet\">PUA:Win32\/MediaGet<\/a><\/td>\n<\/tr>\n<tr>\n<td style=\"padding: 8px;vertical-align: top\">mediaget.exe<\/td>\n<td style=\"padding: 8px;vertical-align: top\">4f31a397a0f2d8ba25fdfd76e0dfc6a0b30dabd5<\/td>\n<td style=\"padding: 8px;vertical-align: top\">Offical mediaget.exe executable<\/td>\n<td style=\"padding: 8px;vertical-align: top\">GLOBAL MICROTRADING PTE. LTD.<\/td>\n<td style=\"padding: 8px;vertical-align: top\">4:24 PM 10\/18\/2017<\/td>\n<td style=\"padding: 8px;vertical-align: top\"><a href=\"https:\/\/www.microsoft.com\/en-us\/wdsi\/threats\/malware-encyclopedia-description?Name=PUA%3aWin32%2fMediaGet\">PUA:Win32\/MediaGet<\/a><\/td>\n<\/tr>\n<tr>\n<td style=\"padding: 8px;vertical-align: top\">update.exe<\/td>\n<td style=\"padding: 8px;vertical-align: top\">513a1624b47a4bca15f2f32457153482bedda640<\/td>\n<td style=\"padding: 8px;vertical-align: top\">Trojanized updater executable<\/td>\n<td style=\"padding: 8px;vertical-align: top\">DEVELTEC SERVICES SA DE CV<\/td>\n<td style=\"padding: 8px;vertical-align: top\">&#8211;<\/td>\n<td style=\"padding: 8px;vertical-align: top\">Trojan:Win32\/Modimer.A<\/td>\n<\/tr>\n<tr>\n<td style=\"padding: 8px;vertical-align: top\">mediaget.exe<\/td>\n<td style=\"padding: 8px;vertical-align: top\">3e0ccd9fa0a5c40c2abb40ed6730556e3d36af3c,<br \/>\nfda5e9b9ce28f62475054516d0a9f5a799629ba8<\/td>\n<td style=\"padding: 8px;vertical-align: top\">Trojanized mediaget.exe executable<\/td>\n<td style=\"padding: 8px;vertical-align: top\">Not signed<\/td>\n<td style=\"padding: 8px;vertical-align: top\">&#8211;<\/td>\n<td style=\"padding: 8px;vertical-align: top\">Trojan:Win32\/Modimer.A<\/td>\n<\/tr>\n<tr>\n<td style=\"padding: 8px;vertical-align: top\">my.dat<\/td>\n<td style=\"padding: 8px;vertical-align: top\">d84d6ec10694f76c56f6b7367ab56ea1f743d284<\/td>\n<td style=\"padding: 8px;vertical-align: top\">Dropped malicious executable<\/td>\n<td style=\"padding: 8px;vertical-align: top\">&nbsp;&#8211;<\/td>\n<td style=\"padding: 8px;vertical-align: top\">&nbsp;&#8211;<\/td>\n<td style=\"padding: 8px;vertical-align: top\"><a href=\"https:\/\/www.microsoft.com\/en-us\/wdsi\/threats\/malware-encyclopedia-description?Name=TrojanDownloader:Win32\/Dofoil.AB\">TrojanDownloader:Win32\/Dofoil.AB<\/a><\/td>\n<\/tr>\n<tr>\n<td style=\"padding: 8px;vertical-align: top\">wuauclt.exe<\/td>\n<td style=\"padding: 8px;vertical-align: top\">88eba5d205d85c39ced484a3aa7241302fd815e3<\/td>\n<td style=\"padding: 8px;vertical-align: top\">Dropped CoinMiner<\/td>\n<td style=\"padding: 8px;vertical-align: top\">&nbsp;&#8211;<\/td>\n<td style=\"padding: 8px;vertical-align: top\">&nbsp;&#8211;<\/td>\n<td style=\"padding: 8px;vertical-align: top\"><a href=\"https:\/\/www.microsoft.com\/en-us\/wdsi\/threats\/malware-encyclopedia-description?Name=Trojan:Win32\/CoinMiner.D\">Trojan:Win32\/CoinMiner.D<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/en-us\/windowsforbusiness\/windows-atp?ocid=cx-blog-mmpc\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-83215\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/04\/windows-defender-atp-8.png\" alt=\"\" width=\"820\" height=\"150\"><\/a><\/p>\n<hr>\n<h4><strong>Talk to us<\/strong><\/h4>\n<p>Questions, concerns, or insights on this story? Join discussions at the <a target=\"_blank\" href=\"https:\/\/answers.microsoft.com\/en-us\/protect\" rel=\"noopener\">Microsoft community<\/a> and <a target=\"_blank\" href=\"https:\/\/www.microsoft.com\/en-us\/wdsi\" rel=\"noopener\">Windows Defender Security Intelligence<\/a>.<\/p>\n<p>Follow us on Twitter <a target=\"_blank\" href=\"https:\/\/twitter.com\/WDSecurity\" rel=\"noopener\">@WDSecurity<\/a> and Facebook <a target=\"_blank\" href=\"https:\/\/www.facebook.com\/MsftWDSI\/\" rel=\"noopener\">Windows Defender Security Intelligence<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>On March 7, we reported that a massive Dofoil campaign attempted to install malicious cryptocurrency miners on hundreds of thousands of computers. Windows Defender Antivirus, with its behavior monitoring, machine learning technologies, and layered approach to security detected and blocked the attack within milliseconds.&nbsp;Windows 10 S, a special configuration of Windows 10 providing Microsoft-verified security, [&hellip;]<\/p>\n","protected":false},"author":61,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"_classifai_error":"","footnotes":""},"content-type":[3663],"topic":[3674,3687],"products":[],"threat-intelligence":[3727],"tags":[3750],"coauthors":[1968],"class_list":["post-80813","post","type-post","status-publish","format-standard","hentry","content-type-research","topic-incident-response","topic-threat-intelligence","threat-intelligence-attacker-techniques-tools-and-infrastructure","tag-cryptocurrency-mining"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Poisoned peer-to-peer app kicked off Dofoil coin miner outbreak | Microsoft Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/03\/13\/poisoned-peer-to-peer-app-kicked-off-dofoil-coin-miner-outbreak\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Poisoned peer-to-peer app kicked off Dofoil coin miner outbreak | Microsoft Security Blog\" \/>\n<meta property=\"og:description\" content=\"On March 7, we reported that a massive Dofoil campaign attempted to install malicious cryptocurrency miners on hundreds of thousands of computers. Windows Defender Antivirus, with its behavior monitoring, machine learning technologies, and layered approach to security detected and blocked the attack within milliseconds.&nbsp;Windows 10 S, a special configuration of Windows 10 providing Microsoft-verified security, [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/03\/13\/poisoned-peer-to-peer-app-kicked-off-dofoil-coin-miner-outbreak\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2018-03-13T22:27:06+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-05-16T20:53:32+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/uploads\/2018\/03\/fig1-timeline.png\" \/>\n<meta name=\"author\" content=\"Microsoft Defender Security Research Team\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Microsoft Defender Security Research Team\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/03\/13\/poisoned-peer-to-peer-app-kicked-off-dofoil-coin-miner-outbreak\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/03\/13\/poisoned-peer-to-peer-app-kicked-off-dofoil-coin-miner-outbreak\/\"},\"author\":[{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/windows-defender-research\/\",\"@type\":\"Person\",\"@name\":\"Microsoft Defender Security Research Team\"}],\"headline\":\"Poisoned peer-to-peer app kicked off Dofoil coin miner outbreak\",\"datePublished\":\"2018-03-13T22:27:06+00:00\",\"dateModified\":\"2023-05-16T20:53:32+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/03\/13\/poisoned-peer-to-peer-app-kicked-off-dofoil-coin-miner-outbreak\/\"},\"wordCount\":1775,\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/03\/13\/poisoned-peer-to-peer-app-kicked-off-dofoil-coin-miner-outbreak\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig1-timeline.png\",\"keywords\":[\"Cryptocurrency mining\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/03\/13\/poisoned-peer-to-peer-app-kicked-off-dofoil-coin-miner-outbreak\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/03\/13\/poisoned-peer-to-peer-app-kicked-off-dofoil-coin-miner-outbreak\/\",\"name\":\"Poisoned peer-to-peer app kicked off Dofoil coin miner outbreak | Microsoft Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/03\/13\/poisoned-peer-to-peer-app-kicked-off-dofoil-coin-miner-outbreak\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/03\/13\/poisoned-peer-to-peer-app-kicked-off-dofoil-coin-miner-outbreak\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig1-timeline.png\",\"datePublished\":\"2018-03-13T22:27:06+00:00\",\"dateModified\":\"2023-05-16T20:53:32+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/03\/13\/poisoned-peer-to-peer-app-kicked-off-dofoil-coin-miner-outbreak\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/03\/13\/poisoned-peer-to-peer-app-kicked-off-dofoil-coin-miner-outbreak\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/03\/13\/poisoned-peer-to-peer-app-kicked-off-dofoil-coin-miner-outbreak\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig1-timeline.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig1-timeline.png\",\"width\":969,\"height\":321},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/03\/13\/poisoned-peer-to-peer-app-kicked-off-dofoil-coin-miner-outbreak\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Poisoned peer-to-peer app kicked off Dofoil coin miner outbreak\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"name\":\"Microsoft Security Blog\",\"description\":\"Expert coverage of cybersecurity topics\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\",\"name\":\"Microsoft Security Blog\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Security Blog\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Poisoned peer-to-peer app kicked off Dofoil coin miner outbreak | Microsoft Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/03\/13\/poisoned-peer-to-peer-app-kicked-off-dofoil-coin-miner-outbreak\/","og_locale":"en_US","og_type":"article","og_title":"Poisoned peer-to-peer app kicked off Dofoil coin miner outbreak | Microsoft Security Blog","og_description":"On March 7, we reported that a massive Dofoil campaign attempted to install malicious cryptocurrency miners on hundreds of thousands of computers. Windows Defender Antivirus, with its behavior monitoring, machine learning technologies, and layered approach to security detected and blocked the attack within milliseconds.&nbsp;Windows 10 S, a special configuration of Windows 10 providing Microsoft-verified security, [&hellip;]","og_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/03\/13\/poisoned-peer-to-peer-app-kicked-off-dofoil-coin-miner-outbreak\/","og_site_name":"Microsoft Security Blog","article_published_time":"2018-03-13T22:27:06+00:00","article_modified_time":"2023-05-16T20:53:32+00:00","og_image":[{"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/uploads\/2018\/03\/fig1-timeline.png"}],"author":"Microsoft Defender Security Research Team","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Microsoft Defender Security Research Team","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/03\/13\/poisoned-peer-to-peer-app-kicked-off-dofoil-coin-miner-outbreak\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/03\/13\/poisoned-peer-to-peer-app-kicked-off-dofoil-coin-miner-outbreak\/"},"author":[{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/windows-defender-research\/","@type":"Person","@name":"Microsoft Defender Security Research Team"}],"headline":"Poisoned peer-to-peer app kicked off Dofoil coin miner outbreak","datePublished":"2018-03-13T22:27:06+00:00","dateModified":"2023-05-16T20:53:32+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/03\/13\/poisoned-peer-to-peer-app-kicked-off-dofoil-coin-miner-outbreak\/"},"wordCount":1775,"publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/03\/13\/poisoned-peer-to-peer-app-kicked-off-dofoil-coin-miner-outbreak\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig1-timeline.png","keywords":["Cryptocurrency mining"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/03\/13\/poisoned-peer-to-peer-app-kicked-off-dofoil-coin-miner-outbreak\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/03\/13\/poisoned-peer-to-peer-app-kicked-off-dofoil-coin-miner-outbreak\/","name":"Poisoned peer-to-peer app kicked off Dofoil coin miner outbreak | Microsoft Security Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/03\/13\/poisoned-peer-to-peer-app-kicked-off-dofoil-coin-miner-outbreak\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/03\/13\/poisoned-peer-to-peer-app-kicked-off-dofoil-coin-miner-outbreak\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig1-timeline.png","datePublished":"2018-03-13T22:27:06+00:00","dateModified":"2023-05-16T20:53:32+00:00","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/03\/13\/poisoned-peer-to-peer-app-kicked-off-dofoil-coin-miner-outbreak\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/03\/13\/poisoned-peer-to-peer-app-kicked-off-dofoil-coin-miner-outbreak\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/03\/13\/poisoned-peer-to-peer-app-kicked-off-dofoil-coin-miner-outbreak\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig1-timeline.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/03\/fig1-timeline.png","width":969,"height":321},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/03\/13\/poisoned-peer-to-peer-app-kicked-off-dofoil-coin-miner-outbreak\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/"},{"@type":"ListItem","position":2,"name":"Poisoned peer-to-peer app kicked off Dofoil coin miner outbreak"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","name":"Microsoft Security Blog","description":"Expert coverage of cybersecurity topics","publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization","name":"Microsoft Security Blog","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","width":512,"height":512,"caption":"Microsoft Security Blog"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/"}}]}},"msxcm_display_generated_audio":false,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Security Blog","distributor_original_site_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/80813"}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/users\/61"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/comments?post=80813"}],"version-history":[{"count":0,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/80813\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media?parent=80813"}],"wp:term":[{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/content-type?post=80813"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/topic?post=80813"},{"taxonomy":"products","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/products?post=80813"},{"taxonomy":"threat-intelligence","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/threat-intelligence?post=80813"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/tags?post=80813"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/coauthors?post=80813"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}