[German]Security researchers from Microsoft have found that more than 80,000 computers have been infected by a malware called Dexphot. The malware is currently being used for crypto mining.
It has been running since 2018, with a peak of 80,000 infections in June. I came across the information about the following tweet.
Microsoft says new Dexphot malware infected more than 80,000 computers
> delivered via ICLoader
> used for cryptomining
> peaked in June at 80k infections
> used fileless execution, LOLbins, polymorphism, and redundant boot persistence mechanismshttps://t.co/vzsplOiW3g pic.twitter.com/GKgVqsodYu
— Catalin Cimpanu (@campuscodi) November 26, 2019
First noticed in October 2018
Microsoft has published the details in this blog post. The malware was noticed in October 2018 when Microsoft’s polymorphic outbreak monitoring system recorded a large increase in reports. This suggests that a large-scale malware campaign was developing.
Microsoft’s security team then watched the new malware attempt to infiltrate files that changed every 20-30 minutes on thousands of devices. The malware was then named “Dexphot” by Microsoft.
Tricky infection methods
The Dexphot attack used a variety of sophisticated methods to bypass security solutions. There are different levels of code obfuscation, encryption, and the use of random filenames to hide the installation process.
Dexphot uses file-less techniques to execute malicious code in memory, leaving only a few traces that can be used for forensics. The malicious code has hijacked legitimate system processes to camouflage malicious activity. If Dexphot is not stopped during the infection phase, a crypto-miner will eventually run on the device. Monitoring services set up by the malware and scheduled tasks trigger a re-infection as soon as an attempt is made to remove the malware.
Microsoft Defender ATP blocks Dexphot
In most cases, Microsoft Defender Advanced Threat Protection detection modules blocked Dexphot before execution. If that failed, behavior-based machine learning models provided protection. Given the persistence mechanisms of the threat, the polymorphism, and the use of file-less techniques, behavioral detection, according to Microsoft, was an important part of the comprehensive protection against this malware and other threats that exhibit similar malicious behavior.
According to this Microsoft page, Windows Defender under Windows 8.1 and Windows 10 also detects this malware as Trojan:Win32/Dexphot. Due to the detection capabilities, the infection rate is now greatly reduced. Details can be found in this Microsoft article.