Dexphot dubbed malware outbreak monitored by researchers reveals multi-layered persistence
Microsoft Defender ATP Research Team released a report about the polymorphic malware that got named Dexphot and its large-scale campaigns. This initially cryptocurrency mining-based threat infected at least 80,000 devices and has many layers used to evade detection, infect the machine, and suck up the power of CPU to make a profit for the developers.
The initial discovery of Dexphot took place in October of 2018 and the biggest peak was noticed in the middle of July 2019. Researchers noted that this is a complex threat using attack chains and other methods like scheduled malware updates, obfuscated scripts that check for AV products. Although the goal of the malware is to install a Monero miner that silently runs using resources and mines coins, the complex infection shows how evolved malware detection techniques need to get.
A complex polymorphic malware strain
The malware reached its peak when 80,000 devices become infected and used for mining functionalities. The main goal of the strain is straightforward, but methods used to avoid detection and the initial infection techniques show the complexity of this virus that attracted the attention of researchers. Hazel Kim, malware analyst for the Microsoft Defender ATP Research Team thinks that this malware outbreak indicates the evolution of everyday threats that manage to evade protections and fly under the radar of detection software.
Advanced methods that Dexphot uses include fileless execution, polymorphic techniques, and redundant boot persistence methods, installation of MSI package and encryption including randomized files. Most of the data loaded on devices can change every 20 or 30 minutes making it difficult to track the malicious activity.
According to researchers, Dexphot is a second-stage malware, so the payload of the virus gets dropped on the already infected machine. Various samples show that devices affected by ICLoader, that gets installed as a part of software bundles, get affected by Dexphot too. The automatic download of the malware installer would run after the initial ICLoader infiltration. That installer is also the only file downloaded on the disk, but only for a short period of time.
Security solutions evading techniques
Since all the names of archives and files loaded on the machines, executables, MSI package contents are unique, traditional file-based detection software solutions cannot detect the malware that easily. However, experts note that protection more suited for behavioral-based detection mechanisms could guard against threats with similar malicious activities like Dexphot.
Since all the executions are fileless, malware operations run inside the memory of the infected computer only. This also makes the malware invisible. An additional technique named living off the land is used by Dexphot to abuse legitimate Windows processes – execute malicious scripts this way instead of running its own processes. Also, a process hollowing technique starts two legitimate processes at the time to launch malicious codes undetected. For example, legitimate application executables like msiexec.exe, unzip.exe, rundll32.exe, schtasks.exe, and powershell.exe get abused by the malware to run needed codes.
When all these infection techniques work out, the virus can re-infect the system every hour, so that allows Dexphot to run crypto-mining processes in the background. XMRig and JCE Miner get deployed and malware switches between both of them to make money using only CPU and RAM of the infected machine.