Dexphot is a polymorphic malware campaign that constantly evolves, sometimes deploying new files and employing new TTPs (Tactics, Techniques, and Procedures) every 20 to 30 minutes. The goal of this malware campaign is to mine cryptocurrency, which isn’t particularly remarkable, but it is the methodologies utilized that are unique.
The primary way this malware avoids detection is through layers (like that of an onion) of obfuscation and encryption. There’s also the ability to run file-less in memory, hijacking legitimate system processes. This file-less ability prevents forensic analysts and other security professionals from easily handling and identifying this threat. Common processes the malware hijacks include Powershell, Nslookup, Windows Command Processor (cmd), Tracert (Traceroute), and much more.
The main method of persistence is through the Windows Task Scheduler and built-in monitoring services created by the malicious code.
The malware likes to use DLL side loading and DLL injection to interact with core system files. DLL side loading occurs when an uninvolved DLL file is loaded alongside the original DLL file being called. This allows the bad actor to load a malicious copy of a legitimate DLL file with encoded values. DLL injection allows the cybercriminal to inject malicious code into a legitimate Windows core file (DLL).
The DLL handling discussed in the previous paragraph allows the malware to perform process hollowing which occurs when malicious code is running under a legitimate process, thereby evading detection.
The malware changes the file names and methods used under each deployment of its malicious software. It regularly updates itself through scheduled jobs in the Windows Task Scheduler, running these updates via Powershell or other execution methods (like WMI). On each deployment, the malware changes processes by which it performs process hollowing.
The malware may also redeploy itself on already infected hosts at any given time to reduce suspicion and to maintain a lower detection rate.
When a password-protected archive is used by the malware, the password changes depending on the deployment configuration.
The threat also likes to search for any installed anti-virus programs (i.e. AVG or Avast) and changes its approach based on the software’s presence (becomes stealthier for example).
A layered defense is encouraged when dealing with advanced polymorphic threats such as this.
LogRhythm customers may be sufficiently monitored for unwanted process actions by the AIE: C2: Abnormal Process Activity (may require tuning to avoid broad log captures). You may consider implementing blocks using the IOC (Indicators of Compromise) list linked below.
Bleeping Computer Article
Dark Reading Article
OTX IOC List
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.
Contact us for more information about Avertium's managed detection and response service capabilities.