Delaware, USA – November 27, 2019 – At the peak of activity, Dexphot polymorphic malware was spotted on about 80,000 systems. The Microsoft Defender ATP Research Team tracked this threat for more than a year, noting that the malware uses advanced techniques that are often used by APT groups. Dexphot is delivered to systems previously infected with ICLoader malware, which is often a part of software bundles or pirated programs. Researchers note that ICLoader gang does not install coinminer on all infected systems, the rest of the group’s arsenal remained outside the scope of the Microsoft team report.
Dexphot malware is completely fileless so regular antimalware solutions have troubles to find it. Coinminer uses Living off the Land technique abusing legitimate processes to run malicious code inside the infected system’s memory. Researchers found it misuses rundll32.exe, msiexec.exe, powershell.exe, unzip.exe, schtasks.exe, and more. The malware authors also armed it with polymorphism, so that adversaries change the URLs and file names used in the infection process 2-3 times per hour. Attackers also armed their creation with multi-layered persistence mechanisms to reinfect machines in case of detection. Dexphot uses a process hollowing technique to run malicious code from within legitimate windows processes that are monitoring coinminer components and reinstall them if they are deleted or stopped. Attackers also use multiple scheduled tasks to reinfect the system on each reboot and in certain time intervals, which allows them to regularly install an updated version of the malware. Scheduled task names are regularly changed to avoid detection.
It’s unusual to see such a set of used techniques in a not-so-dangerous coinminer, but even sophisticated state-sponsored groups sometimes use cryptocurrency miners as the final payload.
Learn more about the techniques used:
Process Hollowing: https://tdm.socprime.com/att-ck/?techniques%5B%5D=T1093
Scheduled Tasks: https://tdm.socprime.com/att-ck/?techniques%5B%5D=T1053