Dexphot virus uncovered by Microsoft, affected over 80,000 devices

A new sneaky piece of malware has been revealed, quietly using compromised devices to mine cryptocurrency for its attackers. Under the radar of most news coverage until now, the Dexphot virus has kept itself alive by using loads of techniques to re-infect machines.

On November 26th, Microsoft’s Defender Advanced Threat Protection (ATP) Research Team released an alert detailing a new malware strain that has already infected more than 80,000 devices since it was first discovered in October 2018.

Researchers remarked the virus has layers of encryption, obfuscation, and randomized files that allow Dexphot to circumvent security solutions and hide its installation process.

According to the research team, Dexphot is what security researchers classify a second-stage payload, a type of malware that’s dropped on systems that are already infected by other malware. These types of “crypto-jacking” are increasingly popular among hackers as they provide financial gain while operating in the background without the user’s awareness. Dexphot is dropped on computers already infected with the ICLoader virus, a malware strain often side-installed as part of software bundles or when users downloaded and installed cracked or pirated software with the user knowing. 

The malware reached its peak in mid-June of this year when its botnet reached almost 80,000 infected computers. Microsoft maintains the virus has slowly been going down due to its deployment of countermeasures to improve detections and stop attacks.

But while Doxphot’s purpose was innocuous, the methods and techniques stood out due to their superior level of complexity, which Microsoft also noticed. Once an antivirus vendor detects a pattern in Dexphot’s infection chain, that pattern would change and allowing Dexphot to stay a step ahead of cyber-security products.

“Dexphot is not the type of attack that generates mainstream media attention,” said Hazel Kim, a malware analyst for the Microsoft Defender ATP Research Team, referring to the malware’s mundane task of mining cryptocurrency, rather than stealing user data.

“It’s one of the countless malware campaigns that are active at any given time. Its goal is a very common one in cybercriminal circles – to install a coin miner that silently steals computer resources and generates revenue for the attackers,” Kim said.

“Yet Dexphot exemplifies the level of complexity and rate of evolution of even everyday threats, intent on evading protections and motivated to fly under the radar for the prospect of profit.” Kim added.

Microsoft says that Dexphot came with ingenious persistence mechanisms that would frequently reinfect systems that were not cleaned entirely of all of the malware’s elements. The malware used a technique known as process hollowing to start two legitimate processes (svchost.exe and nslookup.exe), hollow their content, and hijack them to run malicious code from inside.

Once disguised as legitimate Windows processes, these two Dexphot components would monitor that all the malware’s elements were up and running, and reinstall the malware if one of them stopped working. Because there were two monitoring processes, if system administrators or antivirus software removed one, the second would serve as a backup and reinfect the system.

Dexphot also used a series of scheduled tasks and fileless techniques to make sure the compromised systems were reinfected after every reboot, or once every 90 or 110 minutes. Further, these tasked used polymorphism, with Dexphot changing task names at regular intervals. This measure allowed the malware to skirt any blocklists that blocked scheduled tasks by their names.

The tasks running at regular intervals scheduled served as a means for the Dexphot to deliver updates to all infected systems. Once the job ran, it downloaded a file from an attacker’s server, allowing the attacker to alter this file with updated instructions for all of the infected hosts as well as update their entire botnet within hours after an antivirus vendor deployed any defensive measures.

To protect against Dexphot, consumers will need to employ a next-generation protection engine, including cloud-based machine learning detections.  Solutions need to recognize and block the initial infection to stop the attack in its early stages.

Further, memory scans can detect and terminate the malicious code hidden by process hollowing, while behavioral blocking and containment capabilities can effectively combat the malware’s fileless, evasion, and persistence techniques.

To receive the latest CoinGeek.com news, special discounts on CoinGeek Conferences and other inside information direct to your inbox, please sign up for our mailing list.