Hacked BitTorrent client MediaGet infected 400k PCs with crypto-mining malware

400,000 PC users infected with Dofoil crypto-mining malware via corrupted BitTorrent client MediaGet

Over 400,000 of PCs located in Russia, Turkey, and Ukraine were infected with Dofoil,^[1] also known as Smoke Loader, cryptocurrency miner malware. Windows Defender Antivirus (AV) research department caught a massive outbreak of Dofoil malware variants, which managed to attack nearly half of a million BitTorrent users within less than 12 hours.

Researchers detected a new digital currency mining campaign being held via Russian-based BitTorrent client known as MediaGet. Hackers attacked the MediaGet update mechanism and managed to release its trojanized version infected with Dofoil malware.

Once installed, the latter executes a mediaget.exe and update.exe processes and communicates with the command-and-control (C&C) servers to download CoinMiner malware.^[2] The latter uses CPU and GPU resources of the infected PCs to mine Electroneum digital coins.

Current BitTorrent malware outbreak resemble CCleaner hack revealed in 2017

400,000 PC infected with Dofoil malware within 12 hours. The company expressed concern on how the trojanized MediaGet (mediaget.exe) version managed to evade AV detection. Microsoft did not expatiate on the issue during the period of investigation.

However, the in-depth analysis revealed that the media payload is not dropped directly. The cyber felony has been initiated via the original mediaget.exe signed by various certificates. That’s the reason why it managed to evade detection. However, the trojanized file unpacks itself by default once installed and starts running a trojanized mediaget.exe and update.exe files. Neither of them contains a digital signature. As explained by Microsoft,^[3]

This process is related to MediaGet, a BitTorrent client that we classify as a potentially unwanted application (PUA). MediaGet is often used by people looking to download programs or media from websites with the dubious reputation. Downloading through peer-to-peer file-sharing apps like this can increase the risk of downloading malware.

CCleaner hack initiated last year has been carried out in the same manner. Cybercrooks hacked a legitimate CCleaner’s update and infected it with malware. Once downloaded, the update replaces the legitimate file with corrupted CBkdr.dll variant, which downloads a Floxif virus. Following such scheme, hackers managed to attack more than 2 millions of PC users.

Dofoil malware can render PCs useless

The Trojanized mediaget.exe process features the same functions as the original. However, it contains an InnoSetup SFX opens a backdoor to malware and downloads Electroneum CoinMiner.^[4]

Compromised MediaGet binary carrying CoinMiner payload exhibits a high danger level. Unlike CCleaner hack, BitTorrent client malware cannot spy on its users. However, the digital currency miner can render user’s PC useless. The miner can steal CPU from user’s PCs. In some of the cases, the usage can exceed 50 percent and jump to 100% CPU usage. Consequently, victims can experience system’s sluggishness, unresponsiveness or complete crash.

Is it safe to download BitTorrent MediaGet update?

Microsoft responded immediately and updated Microsoft’s Windows Defender to recognize the trojanized MediaGet update. For now on, Windows Defender detects this malware as Trojan:Win32/Modimer.A and is capable of blocking it right away.

Other AV engines are not capable of protecting PCs from BitTorrent malware. However, those who are running Windows Defender or Microsoft Security Essentials on Windows 7, 8.1, and 10 should update security definitions and feel free to download BitTorrent Client update if needed.