Microsoft experts talked about the Dexphot malware, which has been attacking Windows machines since the fall of 2018. In June 2019, the activity of the malware reached its peak, when more than 80,000 systems became victims of the botnet.Now experts say that Dexphot’s activity is declining, including because of the countermeasures they are taking.
The main goal of Dexphot has always been extraction of cryptocurrency and enrichment of its operators. However, despite quite ordinary goals of the malware, the researchers note that its authors used sophisticated techniques, and the harm itself was not so simple. The fact is that many of the techniques used by virus writers are more likely to be found studying the work of “government hackers”, but not just another miner.
“Dexphot was a second-level payload, that is, it infected computers already infected with the ICLoader malware, which penetrated the system along with various software packages, or when users downloaded and installed hacked or pirated software”, – say information security specialists at Microsoft.
Interestingly, the Dexphot installer was the only part of the malware that was written to disk for only a short period of time. For other files and operations, Dexphot used a fileless attack method, that is, it ran everything only in the computer’s memory, making the presence of malvari in the system invisible to classical antivirus solutions that rely on signatures.
Dexphot also used the LOLbins (living off the land) technique to use legitimate Windows processes to execute malicious code, rather than launching its own executable files and processes. For example, according to Microsoft, the malware regularly abused msiexec.exe, unzip.exe, rundll32.exe, schtasks.exe and powershell.exe. Using these processes to run malicious code, Dexphot actually becomes indistinguishable from other local applications that also used these utilities to do their work.
In addition, Dexphot used a technique called polymorphism.
“Dexphot operators changed the file names and URLs used in the infection process every 20-30 minutes. By the time antivirus solutions detected a pattern in the Dexphot infection chain, the latter one was changing. It allowed Dexphot stay one step ahead”, – said Microsoft experts.
Since no malware will stay unnoticed forever, Dexphot developers have taken care of the mechanism of a stable presence in the system. The malware used a technique called process hollowing to launch two legitimate processes (svchost.exe and nslookup.exe), clean their contents and run malicious code under their guise. These components, disguised as legitimate Windows processes, made sure that all parts of the malware were up and running, and reinstall the malware if necessary.
Additionally, Dexphot used a series of scheduled tasks (regularly changing their names), so that the victim was re-infected without file after each system reboot or every 90 or 110 minutes. This functionality also made it possible regularly update the malware on all infected hosts. After all, every time one of the tasks was performed, the file was downloaded from the attacker’s server, and they could make changes to it.