Microsoft issued a warning against new malware named Dexphot — a crypto mining software that has infected over 80,000 devices, according to estimates.

Security researchers from Microsoft issued a new warning about another crypto-mining malware known as Dexphot. While the malware was just revealed, it has actually been active for over a year, infecting computers around the world and using them and their resources for crypto mining.

Researchers believe that the malware peaked earlier this year, in June, when it managed to infect over 80,000 devices, in total. From that point on, the number of infections started to drop due to Microsoft’s efforts.

Malware Details

One interesting detail about the malware is that it uses extremely complex methods to perform a relatively mundane task of mining crypto. Its purpose was not to gain attention from the media, steal data, hijack the device and demand money, or something like that. Instead, it is one of the campaigns that could become active at any time, silently infecting a device, and using its resources for crypto mining.

Advertisement
Continue reading below

While there is plenty of other malware that do the same, none of them are as complex as Dexphot. It acts as a second-stage payload, which is a kind of malicious software that gets installed on the device that is already infected by some other malware.

Another interesting detail is that Dexphot uses a lifeless execution, meaning that it runs in memory only and that it is invisible to most antivirus solutions that are signature-based. It also uses a technique called LOLbins, which uses Windows processes to execute its code.

Polymorphism

On top of that, it also uses another technique known as polymorphism, which continuously changes its artifacts. This means that its operators change URLs and file names every 20 or 30 minutes. This makes it incredibly difficult to detect any patterns and identify the threat.

Even if it was detected, it had mechanisms that would ensure its persistence by re-infecting the systems that were not completely cleaned. It uses a technique known as process hollowing, and it works as a failsafe, which allowed it to return even after it was detected and removed. Also, each time it re-infected the device, it would return modified and with updated instructions.

What do you think about this incredibly complicated malware? Do you expect malware in the future to be just as complex, or more? Let us know your thoughts in the comments below.


Images are courtesy of Shutterstock, Twitter, Pixabay.