Microsoft experts told about Malvari Dexphot, which has been attacking Windows machines since the fall of 2018. So, in June 2019, the activity of the malware reached its peak, when more than 80,000 systems became victims of the botnet. But now experts say that Dexphot's activity is declining, including thanks to the countermeasures they are taking.
The main goal of Dexphot has always been the extraction of cryptocurrency and the enrichment of its operators. But, despite some mediocre goals of the Malvari, researchers note that its authors used sophisticated techniques, and the harm itself was not so simple. The fact is that many of the techniques used by virus writers are more likely to be found studying the work of “government hackers,” but not just another miner.
Dexphot was a second-level payload, that is, it infected computers already infected with the ICLoader malware, which penetrated the system along with various software packages, or when users downloaded and installed hacked or pirated software.
Interestingly, the Dexphot installer was the only part of the malware that was written to disk for only a short period of time. For other files and operations, Dexphot used a file-free attack method, that is, it ran everything only in the computer's memory, making the presence of malvari in the system invisible to classical antivirus solutions that rely on signatures.
Dexphot also used the LOLbins (living off the land) technique to use legitimate Windows processes to execute malicious code, rather than launching its own executable files and processes. For example, according to Microsoft, the malware regularly abused msiexec.exe, unzip.exe, rundll32.exe, schtasks.exe and powershell.exe. Using these processes to run malicious code, Dexphot actually becomes indistinguishable from other local applications that also used these utilities to do their job.
In addition, Dexphot used a technique called polymorphism. So, Dexphot operators changed the file names and URLs used in the infection process every 20-30 minutes. By the time antivirus solutions detected a pattern in the Dexphot infection chain, it was changing and allowing Dexphot to stay one step ahead.
Since no malware will go unnoticed forever, Dexphot developers have taken care of the mechanism of a stable presence in the system. The malware used a technique called process hollowing to launch two legitimate processes (svchost.exe and nslookup.exe), clean their contents and run malicious code under their guise. These components, disguised as legitimate Windows processes, made sure that all parts of the malware were up and running, and reinstall the malware if necessary.
Additionally, Dexphot used a series of scheduled tasks (regularly changing their names), so that the victim was re-infected without file after each system reboot or every 90 or 110 minutes. This functionality also made it possible to regularly update the malware on all infected hosts. After all, every time one of the tasks was performed, the file was downloaded from the attackers server, and they could make changes to it.