The Malware called Smoke Loader was responsible for injecting a crypto miner as a payload on the infected Windows computers, the crypto miner was used to mine Ethereum.
It was detected on the 6th of March by Windows Defender, where more than 80,000 instances of the various versions of the Dofoil malware family were found to be running on the infected computers.
The target countries of this malware attack were Russia, Ukraine, and Turkey.
According to the researchers, the Dofoil trojan uses code injection that is used to start a legitimate process with a malicious one, therefore replicating the original one, which allowed it to evade monitoring tools and anti-virus programs.
“The hollowed explorer.exe process creates a copy of the original malware in the Roaming AppData folder and renames it to ditereah.exe,” the researchers say. “It then creates a registry key or modifies an existing one to point to the newly created malware copy. In the sample we analyzed, the malware modified the OneDrive Run key.”