Dexphot cryptocurrency miner infected more than 80 thousand computers

Experts from Microsoft warned about attacks by the cryptocurrency miner Dexphot, which managed to infect more than 80 thousand computers around the world.

“In October 2018, our polymorphic outbreak monitoring system detected a large surge in reports, indicating that a large-scale campaign was unfolding. We observed as the new threat attempted to deploy files that changed every 20-30 minutes on thousands of devices. We gave the threat the name “Dexphot,” based on certain characteristics of the malware code”, — say Microsoft specialists.

During attacks, Dexphot operators use many sophisticated methods to bypass security solutions, such as obfuscation, encryption, and using random file names to hide the installation process. Dexphot uses file-free methods to run malicious code directly in memory, leaving only a few traces by which it can be tracked.

The malware intercepts legitimate Windows system processes (for example, msiexec.exe, unzip.exe, rundll32.exe, schtasks.exe and powershell.exe) to avoid detection. Ultimately, Dexphot launches a cryptocurrency miner on the device along with monitoring services and scheduled tasks that trigger reinfection when trying to remove malware.

Read also: Researchers discover 1.2 billion user data on ElasticSearch server

According to the researchers, Dexphot is the so-called secondary payload – software installed on previously infected devices. In this case, Dexphot was installed on computers already infected with the ICLoader malware and its variants. To download malicious modules the installer used two URLs, The same URLs were used to ensure persistence of malware updates and reinfection.

“Dexphot makes extensive use of polymorphism and encryption to avoid detection. Polymorphic techniques include frequently changing identifiable characteristics, such as file names and types, encryption keys, and other artifacts”, – write Microsoft specialists.

Dexphot cryptocurrency miner infected more than 80 thousand computers

Experts from Microsoft warned of attacks by the cryptocurrency miner Dexphot, which managed to infect more than 80 thousand computers around the world.

According to experts, the main feature of Dexphot is the use of sophisticated techniques to evade detection.Dexphot is not the type of attack that generates mainstream media attention. It is one among countless malware campaigns which are active at any given time.