Microsoft has published information about Dexphot, a malware strain that has been active since October 2018.
Dexphot was used by malicious parties to hijack users’ resources for the purpose of mining cryptocurrency on victims’ devices.
According to Microsoft, Dexphot achieved its peak in June 2019, when its botnet reached about 80,000 infected computers.
How it works
Microsoft said that Dexphot’s methods and techniques were notably complex.
“[Dexphot’s] goal is a very common one in cybercriminal circles —
Dexphot is a second-stage payload, which means that it is implemented on systems that are already infected by other malware – in the case of Dexphot, a malware strain called ICLoader.
Once the Dexphot installer has run, every other operation takes place using file-less execution – meaning that everything was executed from within the computer’s memory, rendering it invisible to traditional antivirus software.
Once detected, Dexphot is also capable of re-infecting systems if all artefacts are not cleaned off the victim’s system.
Since its June peak, Dexphot’s reach has decreased substantially, dipping below 10,000 affected devices by the end of August.
Microsoft claimed that its efforts were key to the nullification of the Dexphot threat.
“Microsoft Defender ATP data shows the effectiveness of behavioural blocking and containment capabilities in stopping the Dexphot campaign.”
“Over time, Dexphot-related malicious behaviour reports dropped to a low hum, as the threat lost steam.”