One of the more significant supply-chain attacks to come to light was the tampering of the update process for M.E.Doc, a tax-accounting application that's widely used in Ukraine. The compromised update seeded the NotPetya wiper worm, which shut down computers all over the world last July.
Last week, Microsoft researchers reported that the company's Windows Defender antivirus blocked more than 400,000 instances by several advanced trojans to infect computers primarily located in Russia, Turkey, and Ukraine. The trojans were new variants of the Dofoil malware, which also goes by the name Smoke Loader. (Smoke Loader, by the way, is the name of malware that AV provider Kaspersky Lab said infected a poorly secured computer in Maryland when it sent highly sensitive National Security Agency secrets to the Kaspersky Moscow headquarters.) The Dofoil trojans Microsoft analyzed caused infected computers to install a program called CoinMiner, which tried to use infected computer resources to mine cryptocurrencies for the attackers.
Dofoil is most often spread through spam e-mail and exploit kits. On Tuesday, Microsoft researchers said the massive barrage of trojans came from a different source: a poisoned update from Mediaget. The update poisoning happened some time between February 12 and February 19. The attackers waited until March 1 to begin distributing the malware, and it wasn't until March 6 that Microsoft began to detect it.
Bookmarks