Microsoft warns of Dexphot crypto mining malware


The security experts at Microsoft analyzed a new strain of cryptocurrency miner named as Dexphot which was active since at least October 2018. This malware misuses the resources of the infected machine to mine cryptocurrency and it has already infected 80,000 computers worldwide.

The number of infections was at its highest in June and the number of daily infected systems is now slowly going down. Doxphot stands out for its evasion techniques and its level of sophistication.

According to the analysis report published by Microsoft, the Dexphot attack used a variety of sophisticated methods to evade security solutions. The installation processes are hidden by layers of obfuscation, encryption, and the use of randomized file names.

Dexphot uses fileless techniques to run malicious code directly in memory, leaving only a few traces that can be used for forensics. It hijacked legitimate system processes to disguise malicious activity. If not stopped, Dexphot ultimately ran a cryptocurrency miner on the device, with monitoring services and scheduled tasks triggering re-infection when defenders attempt to remove the malware.

It was found that Dexphot was inserted on systems that were previously infected with the SoftwareBundler:Win32/ICLoader and its variants. The installer uses two URLs to download malicious payloads, the same two URLs are used by Dexphot to establish persistence, update the malware, and re-infect the device.

The installer downloads an MSI package from one of URLs, then it executes the msiexec.exe to silently install the malware. The malicious code employs multiple living-off-the-land techniques (LOLbins), to avoid detection by abusing legitimate Windows processes (i.e. msiexec.exe, unzip.exe, rundll32.exe, schtasks.exe, and powershell.exe) to perform malicious operations.

Dexphot uses polymorphism and encryption to avoid detection which indicates that it constantly changes its identifiable features.

Polymorphic techniques include frequently changing identifiable characteristics like file names and types, encryption keys and other artifacts.

It was also noticed that Dexphot operators attempted to deploy files that changed every 20-30 minutes on thousands of devices.

Dexphot author implemented effective persistence mechanisms that would allow them to re-infect systems that were not completely cleaned.

The malware uses the process hollowing technique to launches the legitimate processes svchost.exe and nslookup.exe and uses them to execute a sort of monitoring component that checks that all the malware components are correctly running and restart them if needed.

The malware also uses scheduled tasks to achieve persistence.

To conclude, Dexphot is a malware campaigns that is active at any given time and its main aim is to install a coin miner that silently steals computer resources and generates revenue for the attackers.

Priyanka R
Cyber Security Enthusiast, Security Blogger, Technical Editor, Author at Cyber Safe News

    Ginp Android Banker Sets as Default SMS App, Steals text

    Previous article

    Magento Marketplace affected by Data Breach

    Next article

    You may also like

    More in Malware


    Leave a reply

    Your email address will not be published. Required fields are marked *