Last week’s Dufoil outbreak was a rapid (just a few hours) attempt to infect hundreds of thousands of Windows PCs. Microsoft has now confirmed the attack came from an update server. The server replaced MediaGet, a BitTorrent client, with a binary that seemed identical.
Microsoft calls the attack ‘MediaGet Update Poisoning’ and says the attempt mostly affected machines in Turkey, Ukraine, and Russia. The failed attack attempted to spread a cryptocurrency miner, confirmed the Windows Defender team.
“This process is related to MediaGet, a BitTorrent client that we classify as potentially unwanted application (PUA). MediaGet is often used by people looking to download programs or media from websites with dubious reputation. Downloading through peer-to-peer file-sharing apps like this can increase the risk of downloading malware.”
The Dufoil attack was targeted by Microsoft because it could have easily spread into a high-scale ransomware attack. Microsoft describes Dufoil as a “carefully planned attack” that included creating and distributing an infected mimic of MediaGet.
MediaGet’s update server included a signed update.exe which replacement mediate.exe that is unsigned. This unsigned infected file came from a third-party company that signed the update.exe, but Microsoft believes this company was also a victim.
That’s because the Trojan infected mediate.exe matched the normal signed exe to 98 percent accuracy.
“The update poisoning campaign that eventually led to the outbreak is described in the following diagram. A signed mediaget.exe downloads an update.exe program and runs it on the machine to install a new mediaget.exe. The new mediaget.exe program has the same functionality as the original but with additional backdoor capability.”
Microsoft points out the effort put into this attack shows it was a major attempt. The attackers must have put a lot of work into preparing for the infection and used advanced knowledge.