Analysis has determined that Dexphot mining malware uses the resources of the infected computer to mine Monero and derive profits for the attackers.
Microsoft computer security team engineers detailed in a report published this week about certain Dexphot mining malware, which affects computers with Windows operating system and makes use of its computer resources to mine cryptocurrencies, deriving profits for attackers.
Dexphot mining malware dates back to October 2018 and registered the largest number of infected computers in June this year, compromising the security of at least 80,000 computers worldwide taking advantage of the resources to undermine the Monero cryptocurrency.
In this regard, Microsoft Defender analyst Hazel Kim commented:
“Dexphot is not the type of attack that catches the attention of the media … It is part of the many types of malware that are active at any given time. Its objective is very common among cybercriminal communities: The idea is to install a miner for digital currencies that silently steals computer resources and derives profits for attackers. “
Kim also said that unlike other malwares, Dexphot raises the level of complexity of the attack and evolves constantly, with the intention of evading security systems and going unnoticed within infected computers, for which he makes use of polymorphic techniques, execution No files and smart boot mechanisms.
Infection of computers
According to information published in the report, Dexphot is listed as a type of malware that reaches systems infected by another class of viruses, so its installation occurs in a second stage of infection.
Analysts detail that all computers infected with Dexphot originally had a malware called ICLoader, which takes advantage of software packages to go unnoticed or is included when the user installs pirated programs.
Once infected with ICLoader, the malware automatically downloads and installs Dexphot, whose installer is the only file visible on the computer for a very short period of time. Of rest all the operations of Dexphot execute of unknown form, preventing its detection by the classic antivirus.
The report details that Dexphot can even take advantage of legitimate processes in the Windows operating system to run the malware, making use of necessary programs such as msiexec.exe, unzip.exe, rundll32.exe, schtasks.exe and powershell.exe.
A malware capable of adapting
However, what is most striking about Dexphot is that this last year he introduced a technique called polymorphism, which manages to go unnoticed even for antivirus programs that detect malicious execution patterns without files.
With this method, the operators of Dexphot change the names of the file and the URLs used in lapses of 20 – 30 minutes, which together with intelligent mechanisms of persistence, get the computers to be re-infected if there is any trace of the malware detected by the security software
The researchers detailed that the malware is able to completely reinstall itself if the administrators delete part of the compromised files, even causing the computer to be re-infected after the computer reboots or at certain time periods.
Given the degree of sophistication of the attack, Kim said that all these techniques could be associated with government cybersecurity agencies, which hackers replicated and adapted to harness the processing power of the equipment and thus undermine cryptocurrencies such as Monero, whose emphasis on privacy prevents traceability of generated funds.
Indicators and recommendations
To conclude, researchers recommend that people avoid visiting unsafe websites, as well as downloading pirated software since there is a high probability that the equipment will contract malware that may lead to the installation of mining programs without users’ consent.
In turn, they also recommend constantly monitoring the use of computer resources by the team to detect irregularities. And in case of suspicion, make use of good antivirus software to eliminate such corrupted files from the computer.