Last week’s Dufoil outbreak was a rapid (just a few hours) attempt to infect hundreds of thousands of Windows PCs. Microsoft has now confirmed the attack came from an update server. The server replaced MediaGet, a BitTorrent client, with a binary that seemed identical.

Microsoft calls the attack ‘MediaGet Update Poisoning’ and says the attempt mostly affected machines in Turkey, Ukraine, and Russia. The failed attack attempted to spread a cryptocurrency miner, confirmed the Windows Defender team.

“This process is related to MediaGet, a BitTorrent client that we classify as potentially unwanted application (PUA). MediaGet is often used by people looking to download programs or media from websites with dubious reputation. Downloading through peer-to-peer file-sharing apps like this can increase the risk of downloading malware.”

The Dufoil attack was targeted by Microsoft because it could have easily spread into a high-scale ransomware attack. Microsoft describes Dufoil as a “carefully planned attack” that included creating and distributing an infected mimic of MediaGet.

MediaGet’s update server included a signed update.exe which replacement mediate.exe that is unsigned. This unsigned infected file came from a third-party company that signed the update.exe, but Microsoft believes this company was also a victim.

Trojan Infection

That’s because the Trojan infected mediate.exe matched the normal signed exe to 98 percent accuracy.

“The update poisoning campaign that eventually led to the outbreak is described in the following diagram. A signed mediaget.exe downloads an update.exe program and runs it on the machine to install a new mediaget.exe. The new mediaget.exe program has the same functionality as the original but with additional backdoor capability.”

Microsoft points out the effort put into this attack shows it was a major attempt. The attackers must have put a lot of work into preparing for the infection and used advanced knowledge.