Microsoft reports evolution of Dexphot malware using increased complexity to evade detection

News by Rene Millman

Polymorphic malware installed coinminer on up to 80,000 systems per day earlier this year say Microsoft researchers.

Security researchers at Microsoft have detailed in a new report how the Dexphot malware has continually changed in order to avoid being detected.

Beginning October 2018, researchers detected a large surge in reports, indicating that a large-scale campaign was developing. The malware was observed attempting to deploy files that changed every 20 to 30 minutes on thousands of devices. 

Researchers said that Dexphot used a variety of sophisticated methods to evade security solutions. Layers of obfuscation, encryption, and the use of randomised file names hid the installation process. 

"Dexphot then used fileless techniques to run malicious code directly in memory, leaving only a few traces that can be used for forensics. It hijacked legitimate system processes to disguise malicious activity," said researchers.

"If not stopped, Dexphot ultimately ran a cryptocurrency miner on the device, with monitoring services and scheduled tasks triggering re-infection when defenders attempt to remove the malware."

Over a few months it was further observed that hackers had upgraded the malware, targeted new processes, and worked around defensive measures.

Researchers detailed Dexphot’s attack chain. During the execution stage, Dexphot writes five key files to disk: an installer with two URLs; an MSI package file downloaded from one of the URLs; a password-protected ZIP archive; a loader DLL, which is extracted from the archive; and an encrypted data file that holds three additional executables that are loaded into system processes via process hollowing.

"Except for the installer, the other processes that run during execution are legitimate system processes. This can make detection and remediation more difficult," said researchers.

They added that Dexphot often contains an obfuscated batch script. 

"If the package contains this file, the script is the first thing that msiexec.exe runs when it begins the installation process. The said obfuscated script is designed to check for antivirus products. Dexphot halts the infection process immediately if an antivirus product is found running," said researchers.

The malware also exhibits multiple layers of polymorphism across the binaries it distributes. For example, the MSI package used in the campaign contains different files. 

"In addition, the contents of each Loader DLL differs from package to package, as does the encrypted data included in the ZIP file. This leads to the generation of a different ZIP archive and, in turn, a unique MSI package, each time the attacker bundles the files together," researchers said.

"Because of these carefully designed layers of polymorphism, a traditional file-based detection approach wouldn’t be effective against Dexphot."

They added that the malware "exemplifies the level of complexity and rate of evolution of even everyday threats, intent on evading protections and motivated to fly under the radar for the prospect of profit."

Javvad Malik, security awareness advocate at KnowBe4, told SC Media UK that comprehensive detection controls need to be in place throughout the organisation. 

"This should be enforced with reliable and up to date threat intelligence data that can be used to identify indicators of compromise (IoCs) and ideally have an orchestrated response," he said.

Dan Pitman, principal security architect at Alert Logic, told SC Media UK that detection of polymorphic malware and other threats that avoid traditional signature detection relies on a more behavioural analysis-based approach on the endpoint and network. 

"By monitoring for suspicious activity, such as contacting known command and control infrastructure or making requests on the network that are abnormal, the activity of a breach can be detected and the polymorphic malware found – monitoring the behaviour of the computers themselves helps too; by building a model of the normal behaviour of a system activities that abnormally use resources can be lead threat hunters to the source of infection," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews