Microsoft has managed to significantly reduce the number of Windows PCs infected by a stealth cryptomining program after the malware infected more than 80,000 devices.
Dexphot uses the host computer to mine cryptocurrency for the hackers’ financial gain. It used a very complex attack vector and managed to avoid detection and deletion by many antivirus programs.
It is polymorphic in nature, with high levels of encryption, employing a fileless technique to hide itself on infected machines.
The initial infection is spread across five system files: msiexec.exe, rundll32.exe, unzip.exe, schtasks.exe, and powershell.exe.
All these are all legitimate processes used by Windows, and users cannot distinguish this activity from their everyday computer use. The malware therefore remains undetected and slowly establishes persistence on the machine through several installations and downloads. The user will notice its activity only after the malware starts mining cryptocurrency.
Although the origins of this cryptojacker are unknown, Microsoft stated that the activity was first detected in October 2018. The threat was unlike anything currently in circulation, capable of covering its tracks by changing files every 20 minutes or so. The peak of Dexphot’s activity was in June 2019.
Microsoft contained Dexphot infections by deploying its cloud-based email filtering service, Advanced Threat Protection, which proved effective in the long run.
Perhaps more importantly, it alerted researchers and revealed ways for future-proofing the antivirus software.