This week, Microsoft has reported on a ‘new’ malware threat named Dexphot. It is not exactly new, as Microsoft first detected the threat in October 2018, but an announcement has now been made after a year of tracking the threat.
Dexphot is one of a breed of polymorphic malware variants that often evade detection by security solutions. In the case of Dexphot, a variety of methods are used to fool security solutions, notably Dexphot keeps changing the files that it deploys, and very frequently. Around every 20-30 minutes. This has hampered efforts to track activity.
Other methods used to fool AV solutions include code obfuscation, encryption, and deployment of malicious code in the memory. These techniques have allowed the malware to be installed without being detected by signature-based AV solutions. Microsoft reports that around 80,000 devices have been infected so far, with infections peaking mid-summer.
The malware is deployed as an MSI executable which is downloaded by files inside a zip file. The zip file includes a password-protected archive – the password changes for each victim – and a batch file. The batch file checks the antivirus solution present on the device.
Analysis of infected devices showed that the installed files varied from device to device and the payload changes using scheduled tasks. Each component similarly changes name every 90 minutes or so when the machine is running, and different names are generated for each task that is run.
The infection process involves writing five files to the disk, which include an installer that uses two URLs, the MSI package that is downloaded from one of those URLs, the password-protected zip file, a loader DRL that is extracted from the archive, and an encrypted data file, which includes three additional executables that run in the memory.
The malware hijacks legitimate Windows processes to hide its malicious activities and ultimately was used to run cryptocurrency miners. Two separate monitoring processes are used to check to make sure that the three processes are still running. If any one of those processes is detected and stopped, the malware terminates the other two and schedules tasks to re-infect the device, again with different files to prevent further detection.
Over the period of tracking, the malware authors performed several upgrades to get around defensive measures and started targeting different processes and changed the pattern for scheduled tasks.
The malware uses process hollowing, which involves replacing the legitimate processes with its malicious code. Only the installer is not a legitimate system process. Since the processes that run during execution are legitimate system processes, they are difficult to detect as malicious. The initial installer must therefore be detected, and since the files keep changing, this can be a major challenge.
The malicious actions may not be as serious as other malware or malware threats, as it is only being used to mine cryptocurrency, but the sophistication of the malware threat and the high level of obfuscation is a cause for concern. These techniques are becoming far more common and show why next-generation behavior-based detection methods are now required, rather than signature-based AV solutions. “behavior-based detection was a critical component of the comprehensive protection against this malware and other threats that exhibit similar malicious behaviors,” notes Microsoft.