HomeWinBuzzer NewsMicrosoft: Windows Dufoil Attack Came From Infected BitTorrent Client

Microsoft: Windows Dufoil Attack Came From Infected BitTorrent Client

Last week’s Dufoil Windows attack attempt happened through a trojanized .exe file replacing a BitTorrent client file almost exactly.


Last week's Dufoil outbreak was a rapid (just a few hours) attempt to infect hundreds of thousands of Windows PCs. has now confirmed the attack came from an update server. The server replaced MediaGet, a BitTorrent client, with a binary that seemed identical.

Microsoft calls the attack ‘MediaGet Update Poisoning' and says the attempt mostly affected machines in Turkey, Ukraine, and . The failed attack attempted to spread a cryptocurrency miner, confirmed the team.

“This process is related to MediaGet, a BitTorrent client that we classify as potentially unwanted application (PUA). MediaGet is often used by people looking to download programs or media from websites with dubious reputation. Downloading through peer-to-peer file-sharing apps like this can increase the risk of downloading malware.”

The Dufoil attack was targeted by Microsoft because it could have easily spread into a high-scale ransomware attack. Microsoft describes Dufoil as a “carefully planned attack” that included creating and distributing an infected mimic of MediaGet.

MediaGet's update server included a signed update.exe which replacement mediate.exe that is unsigned. This unsigned infected file came from a third-party company that signed the update.exe, but Microsoft believes this company was also a victim.

Trojan Infection

That's because the Trojan infected mediate.exe matched the normal signed exe to 98 percent accuracy.

“The update poisoning campaign that eventually led to the outbreak is described in the following diagram. A signed mediaget.exe downloads an update.exe program and runs it on the machine to install a new mediaget.exe. The new mediaget.exe program has the same functionality as the original but with additional backdoor capability.”

Microsoft points out the effort put into this attack shows it was a major attempt. The attackers must have put a lot of work into preparing for the infection and used advanced knowledge.

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News