Microsoft’s Defender ATP Research Team revealed that new crypto stealing malware, dubbed “Dexphot”, infected 80,000 computers since October 2018. Microsoft claims Dexphot crypto stealing malware-infected 80,000 computers.
This Dexphot malware reached its peak in mid-June this year. In many ways, the Dexphot malware is similar to the newly found malicious code in WAV audio files.
The loader DLL targets two valid system processes to start the hollowing process. While Dexphot always uses some kind of cryptocurrency miner, it is not always the same miner. During Microsoft’s research, it used various programs such as XMRig and JCE Miner.
Hazel Kim, an analyst at Microsoft, said that the “Dexphot attack used different advanced models to avoid security solutions.” The installation process was hidden by layers of encryption and the use of randomized file names.
Dexphot used a unique fileless procedure to execute malicious code directly in memory, leaving only a handful of traces that can be used forensically, the report said.
Finally, Dexphot runs a cryptocurrency miner with tracking services and scheduled tasks that cause the malware to re-infect when the defender tries to remove the malware.
Dexphot runs a cryptocurrency miner on the device, monitoring services, and scheduled tasks, and can rewrite itself if it is deleted or detected by the user or any anti-malware software.