Cryptocurrency mining malware infected 80,000 Windows PCs

Microsoft has published information about Dexphot, a malware strain that has been active since October 2018.

Dexphot was used by malicious parties to hijack users’ resources for the purpose of mining cryptocurrency on victims’ devices.

According to Microsoft, Dexphot achieved its peak in June 2019, when its botnet reached about 80,000 infected computers.

How it works

Microsoft said that Dexphot’s methods and techniques were notably complex.

“[Dexphot’s] goal is a very common one in cybercriminal circles — to install a coin miner that silently steals computer resources and generates revenue for the attackers — yet Dexphot exemplifies the level of complexity and rate of evolution of even everyday threats, intent on evading protections and motivated to fly under the radar for the prospect of profit,” said Microsoft.

Dexphot is a second-stage payload, which means that it is implemented on systems that are already infected by other malware – in the case of Dexphot, a malware strain called ICLoader.

Once the Dexphot installer has run, every other operation takes place using file-less execution – meaning that everything was executed from within the computer’s memory, rendering it invisible to traditional antivirus software.

Once detected, Dexphot is also capable of re-infecting systems if all artefacts are not cleaned off the victim’s system.

Microsoft’s efforts

Since its June peak, Dexphot’s reach has decreased substantially, dipping below 10,000 affected devices by the end of August.

Microsoft claimed that its efforts were key to the nullification of the Dexphot threat.

“Microsoft Defender ATP data shows the effectiveness of behavioural blocking and containment capabilities in stopping the Dexphot campaign.”

“Over time, Dexphot-related malicious behaviour reports dropped to a low hum, as the threat lost steam.”

Now read: How Cool Ideas is fighting the massive DDoS attacks on its network