mediaget
MediaGet P2P client update channel delivered Dofoil cryptominer
MediaGet's official update flow was compromised in March 2018, replacing the signed updater with a functionally similar trojanized binary. The dropper used a stolen DEVELTEC certificate and delivered Dofoil/Smoke Loader cryptomining at scale, with more than 400,000 infections in 12 hours, process hollowing into explorer.exe, and Namecoin-based C2.
- Date
- 2018-02-15 to 2018-03-07
- Category
- Commercial
- Target Surface
- Distribution
- Insertion Phase
- distribution
- Impact
- Cryptojacking
- Cause
- Update infrastructure compromise
What Was Affected
Package
mediaget
Languagec++
ComponentApplication
Artifact typebinary archive
Domain typevendor
Domain
mediaget.com
Incident Context
- Motive
- Cryptojacking
- Attribution
- Cybercriminal
- Transitive
- No
- User Impact
- 400000
- Observed Duration
- 20 days
Indicators and Changes
Hashes
sha1:3e0ccd9fa0a5c40c2abb40ed6730556e3d36af3c
External References
- microsoft.com/en-us/security/blog/2018/03/13/poisoned-peer-to-peer-app-kicked-off-dofoil-coin-miner-outbreak
- microsoft.com/en-us/security/blog/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign
- bleepingcomputer.com/news/security/microsoft-mediaget-update-server-poisoned-to-spread-dofoil-trojan
Source Data
Source record: proprietary/mediaget/meta.yaml