Pierluigi Paganini November 27, 2019

Microsoft revealed that the new Dexphot cryptocurrency miner has already infected more than 80,000 computers worldwide.

Security experts at Microsoft analyzed a new strain of cryptocurrency miner tracked as Dexphot that has been active since at least October 2018. The malicious code abuse of the resources of the infected machine to mine cryptocurrency, according to the experts it has already infected 80,000 computers worldwide.

The number of infections reached a peak in June and the number of daily infected systems has been slowly going down. Doxphot stands out for its evasion techniques and its level of sophistication.

“The Dexphot attack used a variety of sophisticated methods to evade security solutions. Layers of obfuscation, encryption, and the use of randomized file names hid the installation process. Dexphot then used fileless techniques to run malicious code directly in memory, leaving only a few traces that can be used for forensics.”reads the analysis published by Microsoft. “It hijacked legitimate system processes to disguise malicious activity. If not stopped, Dexphot ultimately ran a cryptocurrency miner on the device, with monitoring services and scheduled tasks triggering re-infection when defenders attempt to remove the malware.”

Researchers observed that Dexphot was being dropped on computers that were previously infected with the SoftwareBundler:Win32/ICLoader and its variants. The experts noticed that the installer uses two URLs to download malicious payloads, the same two URLs are used by Dexphot to establish persistence, update the malware, and re-infect the device.

The installer downloads an MSI package from one of the above URLs, then it executes the msiexec.exe to silently install the malware. Experts noticed that the malicious code employes multiple living-off-the-land techniques (LOLbins), to avoid detection by abusing legitimate Windows processes (i.e. msiexec.exe, unzip.exe, rundll32.exe, schtasks.exe, and powershell.exe) to perform malicious operations.

Dexphot makes heavy use of polymorphism and encryption to avoid detection, this means that it constantly changes its identifiable features. 

Polymorphic techniques involve frequently changing identifiable characteristics like file names and types, encryption keys and other artifacts.

In the specific case, experts noticed that Dexphot operators attempted to deploy files that changed every 20-30 minutes on thousands of devices. 

“Dexphot exhibits multiple layers of polymorphism across the binaries it distributes. For example, the MSI package used in the campaign contains different files” continues the analysis

Dexphot author implemented effective persistence mechanisms that would allow them to re-infect systems that were not completely cleaned.

The malware uses the process hollowing technique to launches the legitimate processes svchost.exe and nslookup.exe and uses them to execute a sort of monitoring component that checks that all the malware components are correctly running and restart them if needed.

The malware also uses scheduled tasks to achieve persistence.

“Dexphot is not the type of attack that generates mainstream media attention; it’s one of the countless malware campaigns that are active at any given time. Its goal is a very common one in cybercriminal circles — to install a coin miner that silently steals computer resources and generates revenue for the attackers — yet Dexphot exemplifies the level of complexity and rate of evolution of even everyday threats, intent on evading protections and motivated to fly under the radar for the prospect of profit.” concludes the analysis published by Microsoft that also includes Indicators of Compromise (IoCs).

Pierluigi Paganini

(SecurityAffairs – malware, miner)

[adrotate banner=”5″]

[adrotate banner=”13″]