Microsoft Reports on Polymorphic Malware Dexphot That Affected 80,000 Windows Systems

Microsoft Reports on Polymorphic Malware Dexphot That Affected 80,000 Windows SystemsFor over a year, Microsoft has been monitoring a malware strain they named “Dexphot” that has been infecting Windows devices since October 2018.  The malware used computer resources to mine cryptocurrency and profit from the attack. It reached its peak in June 2019, infecting almost 80,000 computers before gradually decreasing over the next months because of Microsoft’s intervention.

What makes Dexphot notable?

Despite the typical malware payload, Microsoft claimed that monitoring the Dexphot gave them insight into not only on how the malware worked but also the techniques that cybercriminals currently use.

This was largely because of the way Dexphot behaved over the course of last year, as noted by Microsoft. The simple payload was delivered through complex techniques that were constantly updated by the malicious actors behind the malware strain.

Microsoft found that the Dexphot malware strain was dropped by another malware known as ICLoader, which is unknowingly installed on a user’s system as part of software bundles. Dexphot was found downloaded and installed in Windows systems that were infected by ICLoader.

Dexphot used legitimate system processes for its malicious activities. It used legitimate Windows apps such as msiexec.exe, unzip.exe, rundll32.exe, schtasks.exe, and powershell.exe to decrypt its data files. Using such tools allows Dexphot to evade detection, as the system would consider its activities as normal processes.

In addition, the decrypted files contained three executable files which are never written on filesystem. They remain on memory. This means Dexphot also used fileless techniques.

Dexphot instead laces the first two executable files into other legitimate system processes like svchost.exe or nslookup.exe. These are monitoring services that maintain Dexphot components. Finally, it replaces setup.exe contents with its third executable, a cryptocurrency miner.

Microsoft saw that Dexphot switched miners throughout their monitoring, using both programs like XMRig and JCE.

Defending against similar techniques

Microsoft noted that Dexphot was a malware strain that was not likely to garner much attention for its common payload. However, it does paint a good picture of the techniques that had been pervasive throughout this year, namely living off the land and fileless techniques.

Trend Micro’s most recent security roundup reported that threat actors have been increasingly living off the land. In fact, detections for fileless threats was 18% higher during the first half of 2019 compared to the total count for 2018.

[Read: Risks Under the Radar: Understanding Fileless Threats]

Remaining vigilant and wary of similar cases as Dexphot can help in defending against fileless threats moving forward. Organizations would need to consider solutions like behavioral indicators and traffic monitoring to defend against the unique challenges that fileless threats present.

Trend Micro Solutions

Trend Micro's Smart Protection Suites deliver several capabilities like high-fidelity machine learning and web reputation services that minimize the impact of persistent, fileless threats. Trend Micro Apex One™ protection employs a variety of threat detection capabilities, notably behavioral analysis that protects against malicious scripts, injection, ransomware, memory and browser attacks related to fileless threats. Additionally, the Apex One Endpoint Sensor provides context-aware endpoint investigation and response (EDR) that monitors events and quickly examines what processes or events are triggering malicious activity. The Trend Micro Deep Discovery solution has a layer for email inspection that can protect enterprises by detecting malicious attachments and URLs. Deep Discovery can detect remote scripts even if it is not being downloaded in the physical endpoint.

Indicators of Compromise (IoCs):

SHA1 Detection name
2aa208b8a5b1ed580574247a37d63fb1640aa6de Trojan.Win32.DEXPHOT.A
2ad86ead803d78301854c48aae8df966155d5e5a Trojan.Win32.DEXPHOT.A
7cd6c49c632f6bee2be88ab370dfe577d762da74 Trojan.Win32.DEXPHOT.A
ebd567008475d5c4810d5f05b5060257113943a2 Trojan.Win32.DEXPHOT.A
fcb795307ecfb7303d6706f09c25f9e3c85dab77 Trojan.Win32.DEXPHOT.A

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.