Malware that Microsoft has been tracking for over a year has been leveraging numerous techniques for evasion, including random file names, fileless installation, and polymorphism.
Microsoft, which calls the malware Dexphot, noticed that it attempted to deploy files that changed two or three times per hour. Targeting thousands of devices, the polymorphic malware was running code directly in memory and hijacking legitimate system processes to evade detection.
Large-scale at first, the campaign dropped in intensity over time, and only a few machines still encounter Dexphot-related malicious behavior.
Dexphot’s infection process starts with the writing of five files to disk: an installer with two URLs, an MSI file, a password-protected ZIP archive, a loader DLL extracted from the archive, and an encrypted data file containing three additional executables.
The malware abuses numerous legitimate system processes during execution, such as msiexec.exe, unzip.exe, rundll32.exe, schtasks.exe, and powershell.exe in early stages, and svchost.exe, tracert.exe, and setup.exe in later stages.
The Dexphot installer is dropped and executed by SoftwareBundler:Win32/ICLoader and its variants. The installer then leverages two URLs to fetch malicious payloads (the same URLs are later used for persistence, updates, and re-infection).
An MSI package is downloaded from one URL and msiexec.exe used for a silent install. A batch script in Dexphot’s package is first executed when the installation process starts, to check for antivirus products.
The malware checks for the presence of antivirus products from Avast and AVG, as well as for Windows Defender Antivirus, and the infection is halted if such an application is found.
Otherwise, the password-protected ZIP archive is decompressed to extract the loader DLL, an encrypted data file and an unrelated DLL.
Next, process hollowing is used: the loader DLL targets two legitimate system processes and spawns them in suspended state, then replaces their contents with two malicious executables, after which it releases them from suspension.
The setup.exe process is then targeted and its contents replaced with a third executable, a cryptocurrency miner.
The first two executables represent monitoring services for Dexphot’s components, ensuring persistence. Each checks the status of all three malicious processes and, if any is terminated, begins re-infection. The monitoring services also check for cmd.exe processes and terminate them immediately.
The malware also creates scheduled tasks, as a persistence fail-safe. These tasks run malicious code using msiexec.exe as a proxy and also allow Dexphot to update components.
Multiple levels of polymorphism is used, with each MSI package being unique, due to the included files: a clean version of unzip.exe, a password-protected ZIP file, and a batch script. The script is not always preset and the names of other files and the password for the ZIP file change for each package.
The content of the loader DLL is also different from one package to another, the same as the encrypted data in the ZIP file.
The domains used in the attacks follow a similar pattern, with the file name for the payload randomly created. Many of the domains were used for a long time, but the MSI packages were frequently changed or updated. Overall, Microsoft identified around 200 unique Dexphot domains.
“Dexphot is not the type of attack that generates mainstream media attention; it’s one of the countless malware campaigns that are active at any given time. […] Dexphot exemplifies the level of complexity and rate of evolution of even everyday threats, intent on evading protections and motivated to fly under the radar for the prospect of profit,” Microsoft concludes.