Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Dexphot Malware Uses Randomization, Encryption, and Polymorphism to Evade Detection

Malware that Microsoft has been tracking for over a year has been leveraging numerous techniques for evasion, including random file names, fileless installation, and polymorphism. 

Malware that Microsoft has been tracking for over a year has been leveraging numerous techniques for evasion, including random file names, fileless installation, and polymorphism. 

Microsoft, which calls the malware Dexphot, noticed that it attempted to deploy files that changed two or three times per hour. Targeting thousands of devices, the polymorphic malware was running code directly in memory and hijacking legitimate system processes to evade detection.

Large-scale at first, the campaign dropped in intensity over time, and only a few machines still encounter Dexphot-related malicious behavior. 

Dexphot’s infection process starts with the writing of five files to disk: an installer with two URLs, an MSI file, a password-protected ZIP archive, a loader DLL extracted from the archive, and an encrypted data file containing three additional executables. 

The malware abuses numerous legitimate system processes during execution, such as msiexec.exe, unzip.exe, rundll32.exe, schtasks.exe, and powershell.exe in early stages, and svchost.exe, tracert.exe, and setup.exe in later stages. 

The Dexphot installer is dropped and executed by SoftwareBundler:Win32/ICLoader and its variants. The installer then leverages two URLs to fetch malicious payloads (the same URLs are later used for persistence, updates, and re-infection). 

An MSI package is downloaded from one URL and msiexec.exe used for a silent install. A batch script in Dexphot’s package is first executed when the installation process starts, to check for antivirus products. 

The malware checks for the presence of antivirus products from Avast and AVG, as well as for Windows Defender Antivirus, and the infection is halted if such an application is found.

Otherwise, the password-protected ZIP archive is decompressed to extract the loader DLL, an encrypted data file and an unrelated DLL. 

Next, process hollowing is used: the loader DLL targets two legitimate system processes and spawns them in suspended state, then replaces their contents with two malicious executables, after which it releases them from suspension.

The setup.exe process is then targeted and its contents replaced with a third executable, a cryptocurrency miner. 

The first two executables represent monitoring services for Dexphot’s components, ensuring persistence. Each checks the status of all three malicious processes and, if any is terminated, begins re-infection. The monitoring services also check for cmd.exe processes and terminate them immediately.

The malware also creates scheduled tasks, as a persistence fail-safe. These tasks run malicious code using msiexec.exe as a proxy and also allow Dexphot to update components. 

Multiple levels of polymorphism is used, with each MSI package being unique, due to the included files: a clean version of unzip.exe, a password-protected ZIP file, and a batch script. The script is not always preset and the names of other files and the password for the ZIP file change for each package.

The content of the loader DLL is also different from one package to another, the same as the encrypted data in the ZIP file. 

The domains used in the attacks follow a similar pattern, with the file name for the payload randomly created. Many of the domains were used for a long time, but the MSI packages were frequently changed or updated. Overall, Microsoft identified around 200 unique Dexphot domains.

“Dexphot is not the type of attack that generates mainstream media attention; it’s one of the countless malware campaigns that are active at any given time. […] Dexphot exemplifies the level of complexity and rate of evolution of even everyday threats, intent on evading protections and motivated to fly under the radar for the prospect of profit,” Microsoft concludes. 

Related: ‘Cloud Atlas’ Cyberspies Use Polymorphic Malware in Government Attacks

Related: Dridex Employs Polymorphism in Recent Campaign

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Fortinet warned of three malicious PyPI packages containing code that fetches the Wacatac trojan and information stealer.

Cybercrime

The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Avast and Bitdefender have released decryptors to help victims of BianLian and MegaCortex ransomware recover their data for free.