Microsoft Corporation yesterday revealed its discovery of a polymorphic malware that uses fileless techniques to execute a cryptomining program on victimized machines.
Dubbed Dexphot, the malware was first observed in October 2018 when Microsoft detected a campaign that "attempted to deploy files that changed every 20 to 30 minutes on thousands of devices," according to a blog post published yesterday by the Microsoft Defender ATP Research Team. At one point, on June 18, Microsoft saw reports of Dexphot-related malicious behavior in close to 80,000 machines, though that number dropped to under 10,000 by July 19.
Dexphot sports a complex attack chain that relies largely on legitimate processes (aka living off the land) to ultimately execute the payload. According to Microsoft, the process chain involves five files: an installer with two URLs, an MSI package file, a password-protected ZIP archive, a loader DLL, and an encrypted data file with three executables. These executables are loaded via process hollowing, a fileless technique that involves replacing the contents of a legitimate system process with malicious code.
According to Microsoft, Dexphot typically uses SoftwareBundler:Win32/ICLoader and its variants as an early-stage loader to drop and run the Dexphot installer. Additionally, the malware abuses msiexec.exe to install the MSI package file; unzip.exe to extract files from the ZIP archive; rundll32.exe for loading the loader DLL; and svchost.exe, tracert.exe and setup.exe for process hollowing. Other abused legit processes include schtasks.exe and powershell.exe.
The malware is polymorphic in a number of ways, Microsoft explains. The aforementioned MSI package can contain a varying mix of files, file names can differ, the passwords for extracting files can change, and the contents of each loader DLL can vary, as can the data found in the ZIP file. "Because of these carefully designed layers of polymorphism, a traditional file-based detection approach wouldn’t be effective against Dexphot," Microsoft states in its blog post.
Often, but not always, the MSI package contains an obfuscated batch file that checks for antivirus products, for an additional defense against detection.
To generate persistence, Dexphot relies on a pair of monitoring services -- installed as executables during the process hollowing phase of the infection chain -- to ensure that the malware is running smoothly. If any of Dexphot's processes have been halted, the monitors force a re-infection via a PowerShell command. Dexphot also gains an additional layer of persistence by using schtasks.exe to set up scheduled tasks that routinely update the malware components.
"Dexphot is not the type of attack that generates mainstream media attention; it's one of the countless malware campaigns that are active at any given time," Microsoft concludes in its report. "Its goal is a very common one in cybercriminal circles – to install a coin miner that silently steals computer resources and generates revenue for the attackers – yet Dexphot exemplifies the level of complexity and rate of evolution of even everyday threats, intent on evading protections and motivated to fly under the radar for the prospect of profit.