A Microsoft blog post, released on March 7, 2018, describes that more than 400,000 attempts to infect users with cryptocurrency mining malware over a span of 15 hours were blocked by Microsoft’s Windows Defender Antivirus.
Based on the data from Windows Defender, on March 6, 2018, the antivirus began identifying advanced trojans, which are new variants of an application called Dofoil, making an effort to insert cryptocurrency mining software through high-level injection techniques, persistence mechanisms, and avoidance methods.
About ¾ or 73% of these trojans derived from Russia, 18% from Turkey and 4% from Ukraine.
Although Dofoil uses a code injection procedure that runs crypto mining software hidden as a legitimate Windows binary, Windows Defender Antivirus was able to flag these injections as threats, since the network traffic from this binary was running from the wrong location.
Microsoft names Dofoil as the latest malware family to incorporate coin miners in attacks. It used the NiceHash cloud mining marketplace that supports a variety of cryptocurrencies. Microsoft also states that the trojan samples they analyzed mined Electroneum coins.
More than 55% of businesses globally have been affected by crypto mining crimes since the start of 2018, which emphasizes the recent prevalence of crypto jacking.
In February 2018, a crypto mining script was inserted into software for helping blind and partially-sighted people to go online, which disrupted more than 5000 websites. During the same month, malicious software for mining Monero was found to have penetrated around 7000 Android smartphones mainly in China and South Korea.