Dexphot Infected Tens of Thousands of Computers
Dexphot was first detected in October 2018, and it has been upgraded multiple times to a level that analyzing its code became a challenging task. The malware re-appeared in June 2019, when it affected tens of thousands of machines. The attacks subsided in a couple of weeks, and the malware was seen on less than 10,000 computers daily.
According to Microsoft researchers, Dexphot utilized various sophisticated methods to evade security software, such as layers of obfuscation, encryption, and randomized file names to hide the installation process. The malware has also used fileless malware techniques to run malicious code in memory, which leaves almost no traces for forensics analysis.
Dexphot also hijacked legitimate system processes to disguise malicious activity. If not stopped, the malware also ran a cryptocurrency miner on the compromised system, with monitoring services and scheduled tasks triggering re-infection when defenders attempt to remove the malware, Microsoft said.
Because the malware displayed sophisticated behavior, persistence, polymorphism and fileless techniques, the only way to catch was the use of behavior-based detection.
The early stages of the Dexphot malware infection consisted of the following:
An installer with two URLs
An MSI package file downloaded from one of the URLs
A password-protected ZIP archive
A loader DLL, which is extracted from the archive
An encrypted data file that holds three additional executables that are loaded into system processes via process hollowing
The malware used multiple layers of polymorphism in the binaries it distributed. Some of the files utilized by the malware were set to change every 20-30 minutes. The MSI executable delivered by the malware contained
Some of the files deployed by Dexphot would change every 20 or 30 minutes, making it difficult to track its activity. Delivered as an MSI executable, the package contained a variety of files that were different from one infection to another.
„The MSI packages generally include a clean version of unzip.exe, a password-protected ZIP file, and a batch file that checks for currently installed antivirus products. However, the batch file is not always present, and the names of the ZIP files and Loader DLLs, as well as the password for extracting the ZIP file, all change from one package to the next,“ Microsoft said.
Did you know? Polymorphic malware will change its virus signature every time it replicates itself and infects the next file. By doing so, the virus will evade detection by AV software. In 2016, Webroot researchers analyzed more than 27 billion URLs, 600 million domains, 4 billion IP addresses, 20 mobile applications, 10 million connected sensors, and at least 9 million file behavior records. In 97% of the infection cases, malware was identified as polymorphic, or unique to the system.