Microsoft’s security engineering team disclosed complete information about a new malicious program, Dexphot, which mainly hijacks the resources of infected devices to mine cryptocurrencies and make money for attackers. Microsoft stated that Windows devices have been infected since October 2018, and reached a peak of more than 80,000 in mid-June this year. Microsoft has deployed relevant policies to improve detection rates and prevent attacks, and the number of infected devices has slowly declined since then.
Although the ultimate goal of Dexphot is to use the victim’s device resources to mine cryptocurrencies, the complexity of the malware is very high, and its crimes and techniques are very special. Hazel Kim, a malware analyst at Microsoft’s Defender ATP research team, said: “Dexphot is not the type of attack that generates mainstream media attention. It’s one of the countless malware campaigns that are active at any given time. Its goal is a very common one in cybercriminal circles – to install a coin miner that silently steals computer resources and generates revenue for the attackers. Yet Dexphot exemplifies the level of complexity and rate of evolution of even everyday threats, intent on evading protections and motivated to fly under the radar for the prospect of profit.”
In a report shared with ZDNet, Kim detailed Dexphot’s advanced technologies, such as using fileless execution, polymorphism, and intelligent and redundant startup persistence mechanisms. According to Microsoft, Dexphot has been described by security researchers as a second-stage payload, which is malware that has been dropped onto systems that have been infected with other malware.