Dexphot malware turned 80,000 computers into Monero miners

Microsoft warns about a complex threat that prevents detection and receives needed updates as frequently as needed

Dexphot malware attacked close to 80,00 machines

A large surge of reports about large-scale malware campaigns started in October 2018, according to the report from Microsoft Defender ATP Research Team.[1] Based on the particular characteristics of the malware, it got a Dexphot name. It seems that this new threat is using files that manage to change every 20 or 30 minutes, different layers of obfuscation, encryption, and other techniques that help it to hide the initial installation process.

The second stage of this malware attack involves fileless techniques[2] that help to run malicious code directly in system memory without any traces. Since legitimate system processes get hijacked, malicious behavior is disguised, and the malware starts its mining tasks.[3]

Thanks to numerous upgrades, the malware has become even more difficult to analyze. The biggest jump in the sophisticated malware campaign was spotted in mid-June this year when tens of thousands of devices got affected, and the number of infected computers reached an impressive 80,000 number. Microsoft claims that daily infections have been slowing down, and attacks should stop eventually due to improved detection rates.

The functionality of the polymorphic threat

The malware is difficult to track because of the files that change every half an hour. Once the MSI executable gets delivered on the system, the package containing various files with different infections and malicious scripts is installed. The unique features allow malware to bypass traditional file-based detection engines and the virus can only be detected by engines based on behavior-based detection techniques.

Hazel Kim, a malware researcher for the Microsoft Defender ATP Research Team refers to the complexity of malware:

It’s one of the countless malware campaigns that are active at any given time. Its goal is a very common one in cybercriminal circles – to install a coin miner that silently steals computer resources and generates revenue for the attackers.

Dexphot malware can update the payload from the web because it employs scheduled tasks and can refresh its behavior each time the infected machine gets rebooted and every hour and a half while the computer is still running. Different names for processes and tasks also get changed to mask malicious behavior.

Although the main goal of Dexphot is mining cryptocurrency, monitoring services, and triggering the repetitive infection, the modules and infiltration techniques, which help it to bypass the detection engines have made it more sophisticated than any other miner virus.[4] 

The focus of sophisticated attacks – Monero mining

When the malware infects the targeted machine successfully, it launches the cryptocurrency mining functions, so the virus can switch between XMRig and JCE miners to use resources of the computer and generate revenue. Essential files get planted on the disk, and one of them contains the installer with two URLs used to retrieve the payloads. 

The script for Monero mining runs on the compromised host and is also difficult to detect due to a technique called process hollowing that replaces the legitimate task code with malicious content.[5] Researchers believe that this might become a prevalent technique used by malware in the future because code hidden this way doesn’t touch disk or leave traces for forensic investigations. This is an example of how malware can evolve and get sophisticated to go undetected by regular malware defense mechanisms.