Show vulnerabilities with patch / with exploit
27 November 2019

New Dexphot crypto-stealing malware infected nearly 80, 000 computers


New Dexphot crypto-stealing malware infected nearly 80, 000 computers

The Microsoft Defender ATP research team has warned of a new cryptocurrency-stealing malware variant that uses a variety of sophisticated methods to evade security solutions.

The researchers have been tracking the new threat, dubbed Dexphot, since the start of the campaign in October 2018. The malware had a spike in mid-June this year, when it infected nearly 80,000 computers hijacking their resources to mine cryptocurrency and generate revenue for its operators, but towards the end of the month its activity slowed down, with the infection rates reaching less than 20,000 computers. By the end of July, the number of compromised machines decreased to 10,000 computers.

What makes Dexphot stand out, is its use of sophisticated methods designed to conceal its activities from security software.

“Layers of obfuscation, encryption, and the use of randomized file names hid the installation process. Dexphot then used fileless techniques to run malicious code directly in memory, leaving only a few traces that can be used for forensics. It hijacked legitimate system processes to disguise malicious activity. If not stopped, Dexphot ultimately ran a cryptocurrency miner on the device, with monitoring services and scheduled tasks triggering re-infection when defenders attempt to remove the malware,” the report says.

Some of the files deployed by Dexphot would change every 20 or 30 minutes, making it difficult to track its activity. According to Microsoft, during the early stages of infection Dexphot leverages numerous files and processes. During the execution stage, Dexphot writes the following key files to disk:

An installer with two URLs

An MSI package file downloaded from one of the URLs

A password-protected ZIP archive

A loader DLL, which is extracted from the archive

An encrypted data file that holds three additional executables that are loaded into system processes via process hollowing

Dexphot is a so-called a second-stage payload, a type of malware that is deployed on already infected computers. In observed attacks, the Dexphot miner was dropped on computers that were previously infected with ICLoader, a family of bundlers that are focused on installing adware on the affected Windows systems. The researchers noticed that the installer uses two URLs to download malicious payloads, the same two URLs are used by Dexphot to establish persistence, update the malware, and re-infect the device. The installer downloads an MSI package from one of the above URLs, then it executes the msiexec.exe to silently install the malware. The malware also employs living-off-the-land techniques to execute its code using legitimate system processes.

Dexphot’s package contains an obfuscated batch script that is checking for antivirus products and if such software is found running on the machine the malware halts the infection process immediately. The researchers said that at the beginning of their investigation the script checked for antivirus products from Avast and AVG, later Windows Defender Antivirus was added to the checklist.

The malware also uses scheduled tasks to achieve persistence. That also allows Dexphot to update the payload from the web every time the tasks run. All components are refreshed this way each time the system is rebooted and every 90 or 110 minutes while the machine is running.

“Dexphot is not the type of attack that generates mainstream media attention; it’s one of the countless malware campaigns that are active at any given time. Its goal is a very common one in cybercriminal circles — to install a coin miner that silently steals computer resources and generates revenue for the attackers — yet Dexphot exemplifies the level of complexity and rate of evolution of even everyday threats, intent on evading protections and motivated to fly under the radar for the prospect of profit,” the researchers concluded.

Back to the list

Latest Posts

Vulnerability summary for the week: July 10, 2020

Vulnerability summary for the week: July 10, 2020

Weekly vulnerability digest.
10 July 2020
Evilnum, FIN6, and Cobalt Group share the same malware provider

Evilnum, FIN6, and Cobalt Group share the same malware provider

The Evilnum group’s toolset and infrastructure have evolved and now include custom malware as well as tools bought from a MaaS provider called Golden Chickens.
10 July 2020
RCE-bug found in Zoom client for Windows

RCE-bug found in Zoom client for Windows

The flaw is only exploitable on systems running Windows 7 and older Windows versions.
10 July 2020