Security experts at Microsoft analyzed a new strain of
The number of infections reached a peak in June and the number of daily infected systems has been slowly going down.
“The Dexphot attack used a variety of sophisticated methods to evade security solutions. Layers of obfuscation, encryption, and the use of randomized file names hid the installation process. Dexphot then used fileless techniques to run malicious code directly in memory, leaving only a few traces that can be used for forensics.”reads the analysis published by Microsoft. “It hijacked legitimate system processes to disguise malicious activity. If not stopped, Dexphot ultimately ran a
Researchers observed that Dexphot was being dropped on computers that were previously infected with the SoftwareBundler:Win32/ICLoader and its variants. The experts noticed that
The installer downloads an MSI package from one of the above URLs, then it executes the msiexec.exe to silently install the malware. Experts noticed that the malicious code employes multiple living-off-the-land techniques (LOLbins), to avoid detection by abusing legitimate Windows processes (i.e. msiexec.exe, unzip.exe, rundll32.exe, schtasks.exe, and powershell.exe) to perform malicious operations.
Dexphot makes heavy use of polymorphism and encryption to avoid detection, this means that it constantly changes its identifiable features.
Polymorphic techniques involve frequently changing identifiable characteristics like file names and types, encryption keys and other artifacts
In the specific case, experts noticed that Dexphot operators attempted to deploy files that changed every 20-30 minutes on thousands of devices.
Dexphot author implemented effective persistence mechanisms that would allow them to re-infect systems that were not completely cleaned.
The malware uses the process hollowing technique to launches the legitimate processes
The malware also uses scheduled tasks to achieve persistence.
(SecurityAffairs – malware, miner)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.