{"id":12068,"date":"2019-11-26T21:55:03","date_gmt":"2019-11-26T20:55:03","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=12068"},"modified":"2019-11-26T21:55:03","modified_gmt":"2019-11-26T20:55:03","slug":"microsoft-dexphot-malware-infects-more-as-80-000-systems","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2019\/11\/26\/microsoft-dexphot-malware-infects-more-as-80-000-systems\/","title":{"rendered":"Microsoft: Dexphot Malware infects more as 80.000 Systems"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" align=\"left\" height=\"47\">[<a href=\"https:\/\/www.borncity.com\/blog\/2019\/11\/26\/microsoft-dexphot-malware-infiziert-mehr-als-80-000-rechner\/\" target=\"_blank\" rel=\"noopener noreferrer\">German<\/a>]Security researchers from Microsoft have found that more than 80,000 computers have been infected by a malware called Dexphot. The malware is currently being used for crypto mining.<\/p>\n<p><!--more--><\/p>\n<p>It has been running since 2018, with a peak of 80,000 infections in June. I came across the information about the following tweet.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Microsoft says new Dexphot malware infected more than 80,000 computers<\/p>\n<p>&gt; delivered via ICLoader<br \/>&gt; used for cryptomining<br \/>&gt; peaked in June at 80k infections<br \/>&gt; used fileless execution, LOLbins, polymorphism, and redundant boot persistence mechanisms<a href=\"https:\/\/t.co\/vzsplOiW3g\">https:\/\/t.co\/vzsplOiW3g<\/a> <a href=\"https:\/\/t.co\/GKgVqsodYu\">pic.twitter.com\/GKgVqsodYu<\/a><\/p>\n<p>\u2014 Catalin Cimpanu (@campuscodi) <a href=\"https:\/\/twitter.com\/campuscodi\/status\/1199372245707165696?ref_src=twsrc%5Etfw\">November 26, 2019<\/a><\/p><\/blockquote>\n<p><span id=\"preserve419583f3dea14a1389e39a21ac9e4b19\" class=\"wlWriterPreserve\"><SCRIPT charset=\"utf-8\" src=\"https:\/\/platform.twitter.com\/widgets.js\" async><\/SCRIPT><\/span> <\/p>\n<h2>First noticed in October 2018<\/h2>\n<p>Microsoft has published the details in <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2019\/11\/26\/insights-from-one-year-of-tracking-a-polymorphic-threat\/\" target=\"_blank\" rel=\"noopener noreferrer\">this blog post<\/a>. The malware was noticed in October 2018 when Microsoft's polymorphic outbreak monitoring system recorded a large increase in reports. This suggests that a large-scale malware campaign was developing. <\/p>\n<p>Microsoft's security team then watched the new malware attempt to infiltrate files that changed every 20-30 minutes on thousands of devices. The malware was then named \"Dexphot\" by Microsoft.&nbsp; <\/p>\n<h2>Tricky infection methods<\/h2>\n<p>The Dexphot attack used a variety of sophisticated methods to bypass security solutions. There are different levels of code obfuscation, encryption, and the use of random filenames to hide the installation process.<\/p>\n<p>Dexphot uses file-less techniques to execute malicious code in memory, leaving only a few traces that can be used for forensics. The malicious code has hijacked legitimate system processes to camouflage malicious activity. If Dexphot is not stopped during the infection phase, a crypto-miner will eventually run on the device. Monitoring services set up by the malware and scheduled tasks trigger a re-infection as soon as an attempt is made to remove the malware.<\/p>\n<h2>Microsoft Defender ATP blocks Dexphot&nbsp; <\/h2>\n<p>In most cases, Microsoft Defender Advanced Threat Protection detection modules blocked Dexphot before execution. If that failed, behavior-based machine learning models provided protection. Given the persistence mechanisms of the threat, the polymorphism, and the use of file-less techniques, behavioral detection, according to Microsoft, was an important part of the comprehensive protection against this malware and other threats that exhibit similar malicious behavior. <\/p>\n<p>According to <a href=\"https:\/\/www.microsoft.com\/en-us\/wdsi\/threats\/malware-encyclopedia-description?Name=Trojan:Win32\/Dexphot\" target=\"_blank\" rel=\"noopener noreferrer\">this Microsoft page<\/a>, Windows Defender under Windows 8.1 and Windows 10 also detects this malware as Trojan:Win32\/Dexphot. Due to the detection capabilities, the infection rate is now greatly reduced. Details can be found in <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2019\/11\/26\/insights-from-one-year-of-tracking-a-polymorphic-threat\/\" target=\"_blank\" rel=\"noopener noreferrer\">this Microsoft article<\/a>. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Security researchers from Microsoft have found that more than 80,000 computers have been infected by a malware called Dexphot. The malware is currently being used for crypto mining.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,2],"tags":[69,194],"class_list":["post-12068","post","type-post","status-publish","format-standard","hentry","category-security","category-windows","tag-security","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/12068","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=12068"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/12068\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=12068"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=12068"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=12068"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}