A new type of malware has appeared on the market that has already caused quite a few casualties. The new malware is called Dexphot, and was discovered by Microsoft security researchers. The malware reached its peak in June, when it had infected almost 80,000 computers.
Dexphot has been active since October 2018, writes ZDNet. The malware infects computers and exploits them to mine cryptographic currency. That way, hackers make money. So, Dexphot is a cryptominer, but one that stands out because of its advanced techniques to circumvent security.
For example, Dexphot uses fileless execution, where the malware is not installed as a file on the computer. Instead, the malware only lives in the memory of a computer. As a result, it is better protected against attempts to remove malware.
The malware also uses techniques to return to a system after a user has removed it. If not all parts of the malware are removed, Dexphot will reinstall itself.
Hitchhiking on other malware
Dexphot doesn’t just show up on computers, it takes a ride on other malware. The cryptominer appears on computers that were previously infected with ICLoader. ICLoader is a form of malware that usually comes with software bundles, without the user knowing it. Also, ICLoader often comes along with the illegal downloading of software.
In some cases the hackers behind ICLoader downloaded the Dexphot-installer after an infection, so that an affected system could also be infected with it. This installer is the only thing that appears on the hard disk and that too is only temporary.
Dexphot then uses a technique called ‘living off the land’. Legitimate Windows processes are abused to execute malicious code. Therefore, the malware does not carry out its own processes.
Dexphot reached its peak in June this year with almost 80,000 infected computers. Since then, the number of daily infections has been slowly decreasing. Microsoft argues that it has implemented countermeasures to improve the detection of Dexphot and to stop attacks.