Home / News / Dexphot cryptocurrency miner infected more than 80 thousand computers

Dexphot cryptocurrency miner infected more than 80 thousand computers

Experts from Microsoft warned about attacks by the cryptocurrency miner Dexphot, which managed to infect more than 80 thousand computers around the world.

According to experts, the main feature of Dexphot is the use of sophisticated techniques to avoid detection.

“In October 2018, our polymorphic outbreak monitoring system detected a large surge in reports, indicating that a large-scale campaign was unfolding. We observed as the new threat attempted to deploy files that changed every 20-30 minutes on thousands of devices. We gave the threat the name “Dexphot,” based on certain characteristics of the malware code”, — say Microsoft specialists.

During attacks, Dexphot operators use many sophisticated methods to bypass security solutions, such as obfuscation, encryption, and using random file names to hide the installation process. Dexphot uses file-free methods to run malicious code directly in memory, leaving only a few traces by which it can be tracked.

The malware intercepts legitimate Windows system processes (for example, msiexec.exe, unzip.exe, rundll32.exe, schtasks.exe and powershell.exe) to avoid detection. Ultimately, Dexphot launches a cryptocurrency miner on the device along with monitoring services and scheduled tasks that trigger reinfection when trying to remove malware.

Read also: Researchers discover 1.2 billion user data on ElasticSearch server

According to the researchers, Dexphot is the so-called secondary payload – software installed on previously infected devices. In this case, Dexphot was installed on computers already infected with the ICLoader malware and its variants. To download malicious modules the installer used two URLs, The same URLs were used to ensure persistence of malware updates and reinfection.

“Dexphot makes extensive use of polymorphism and encryption to avoid detection. Polymorphic techniques include frequently changing identifiable characteristics, such as file names and types, encryption keys, and other artifacts”, – write Microsoft specialists.

Dexphot cryptocurrency miner infected more than 80 thousand computers

Experts from Microsoft warned of attacks by the cryptocurrency miner Dexphot, which managed to infect more than 80 thousand computers around the world.

According to experts, the main feature of Dexphot is the use of sophisticated techniques to evade detection.Dexphot is not the type of attack that generates mainstream media attention. It is one among countless malware campaigns which are active at any given time.

Its goal is a very common one in cybercriminal circles — to install a coin miner that silently steals computer resources and generates revenue for the attackers — yet Dexphot exemplifies the level of complexity and rate of evolution of even everyday threats.
[Total: 0    Average: 0/5]
Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Check Also

Amazon introduced Access Analyzer

Amazon Introduces Access Analyzer – Cloud Basket Security Monitoring Service

Amazon developers unveiled Access Analyzer, a new cloud container control solution. The system uses mathematical …

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.