The security experts at Microsoft analyzed a new strain of cryptocurrency miner named as Dexphot which was active since at least October 2018. This malware misuses the resources of the infected machine to mine cryptocurrency and it has already infected 80,000 computers worldwide.
The number of infections was at its highest in June and the number of daily infected systems is now slowly going down. Doxphot stands out for its evasion techniques and its level of sophistication.
According to the analysis report published by Microsoft, the Dexphot attack used a variety of sophisticated methods to evade security solutions. The installation processes are hidden by layers of obfuscation, encryption, and the use of randomized file names.
Dexphot uses fileless techniques to run malicious code directly in memory, leaving only a few traces that can be used for forensics. It hijacked legitimate system processes to disguise malicious activity. If not stopped, Dexphot ultimately ran a cryptocurrency miner on the device, with monitoring services and scheduled tasks triggering re-infection when defenders attempt to remove the malware.
It was found that Dexphot was inserted on systems that were previously infected with the SoftwareBundler:Win32/ICLoader and its variants. The installer uses two URLs to download malicious payloads, the same two URLs are used by Dexphot to establish persistence, update the malware, and re-infect the device.
The installer downloads an MSI package from one of URLs, then it executes the msiexec.exe to silently install the malware. The malicious code employs multiple living-off-the-land techniques (LOLbins), to avoid detection by abusing legitimate Windows processes (i.e. msiexec.exe, unzip.exe, rundll32.exe, schtasks.exe, and powershell.exe) to perform malicious operations.
Dexphot uses polymorphism and encryption to avoid detection which indicates that it constantly changes its identifiable features.
Polymorphic techniques include frequently changing identifiable characteristics like file names and types, encryption keys and other artifacts.
It was also noticed that Dexphot operators attempted to deploy files that changed every 20-30 minutes on thousands of devices.
Dexphot author implemented effective persistence mechanisms that would allow them to re-infect systems that were not completely cleaned.
The malware uses the process hollowing technique to launches the legitimate processes svchost.exe and nslookup.exe and uses them to execute a sort of monitoring component that checks that all the malware components are correctly running and restart them if needed.
The malware also uses scheduled tasks to achieve persistence.
To conclude, Dexphot is a malware campaigns that is active at any given time and its main aim is to install a coin miner that silently steals computer resources and generates revenue for the attackers.