MediaGet update delivered Dofoil cryptominer

Microsoft traced a large Dofoil coin-mining outbreak back to MediaGet. The first signal was process lineage: the malicious files were written by mediaget.exe, not by torrent downloads or other file-sharing clients.

The update path was poisoned before the outbreak. A signed MediaGet client downloaded update.exe, an InnoSetup SFX package signed by an unrelated third-party certificate. That package dropped an unsigned mediaget.exe with the same visible behavior as the real client and an added backdoor.

The backdoor collected system data, contacted command-and-control servers over HTTP, and handled a RUN command that downloaded payloads as %TEMP%\my.dat. Microsoft reported that this path delivered Dofoil starting on 2018-03-01 and fed the larger 2018-03-06 miner wave.

Defender blocked much of the outbreak quickly, but the supply-chain lesson was simpler than the malware. A trusted updater installed a client that was 98 percent similar to the original, close enough to work, different enough to mine.

Motive

Cryptojacking

Attribution

Group

Cause

Update Infrastructure Compromise

Transitive

No

Actor

Cybercriminal

User Impact

400000

• Poisoned peer-to-peer app kicked off Dofoil coin miner outbreakmicrosoft.com
• Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaignmicrosoft.com
• Microsoft says MediaGet update server poisoned to spread Dofoil trojanbleepingcomputer.com