Security experts at Microsoft analyzed a new strain of
The number of infections reached a peak in June and the number of daily infected systems has been slowly going down.
“The Dexphot attack used a variety of sophisticated methods to evade security solutions. Layers of obfuscation, encryption, and the use of randomized file names hid the installation process. Dexphot then used fileless techniques to run malicious code directly in memory, leaving only a few traces that can be used for forensics.”reads the analysis published by Microsoft. “It hijacked legitimate system processes to disguise malicious activity. If not stopped, Dexphot ultimately ran a
Researchers observed that Dexphot was being dropped on computers that were previously infected with the SoftwareBundler:Win32/ICLoader and its variants. The experts noticed that
The installer downloads an MSI package from one of the above URLs, then it executes the msiexec.exe to silently install the malware. Experts noticed that the malicious code employes multiple living-off-the-land techniques (LOLbins), to avoid detection by abusing legitimate Windows processes (i.e. msiexec.exe, unzip.exe, rundll32.exe, schtasks.exe, and powershell.exe) to perform malicious operations.
Dexphot makes heavy use of polymorphism and encryption to avoid detection, this means that it constantly changes its identifiable features.
Polymorphic techniques involve frequently changing identifiable characteristics like file names and types, encryption keys and other artifacts
In the specific case, experts noticed that Dexphot operators attempted to deploy files that changed every 20-30 minutes on thousands of devices.
Dexphot author implemented effective persistence mechanisms that would allow them to re-infect systems that were not completely cleaned.
The malware uses the process hollowing technique to launches the legitimate processes
The malware also uses scheduled tasks to achieve persistence.
(SecurityAffairs – malware, miner)