Dexphot is a polymorphic malware campaign that constantly evolves, sometimes deploying new files and employing new TTPs (Tactics, Techniques, and Procedures) every 20 to 30 minutes. The goal of this malware campaign is to mine cryptocurrency, which isn’t particularly remarkable, but it is the methodologies utilized that are unique.
Tactics, Techniques, Procedures
The primary way this malware avoids detection is through layers (like that of an onion) of obfuscation and encryption. There’s also the ability to run file-less in memory, hijacking legitimate system processes. This file-less ability prevents forensic analysts and other security professionals from easily handling and identifying this threat. Common processes the malware hijacks include: Powershell, Nslookup, Windows Command Processor (cmd), Tracert (Traceroute), and much more.
The main method of persistence is through the Windows Task Scheduler and built-in monitoring services created by the malicious code.
The malware likes to use DLL side loading and DLL injection to interact with core system files. DLL side loading occurs when an uninvolved DLL file is loaded alongside the original DLL file being called. This allows the bad actor to load a malicious copy of a legitimate DLL file with encoded values. DLL injection allows the cybercriminal to inject malicious code into a legitimate Windows core file (DLL).
The DLL handling discussed in the previous paragraph allows the malware to perform process hollowing which occurs when malicious code is running under a legitimate process, thereby evading detection.
The malware changes the file names and methods used under each deployment of its malicious software. It regularly updates itself through scheduled jobs in the Windows Task Scheduler, running these updates via Powershell or other execution methods (like WMI). On each deployment, the malware changes processes by which it performs process hollowing.
The malware may also redeploy itself on already infected hosts at any given time to reduce suspicion and to maintain a lower detection rate.
When a password protected archive is used by the malware, the password changes depending on the deployment configuration.
The threat also likes to search for any installed anti-virus programs (i.e. AVG or Avast) and changes its approach based on the software’s presence (becomes stealthier for example).
- May lead to the loss of system performance due to unwanted resource consumption
- Could lead to unwanted network usage depending on the malware’s configuration
A layered defense is encouraged when dealing with advanced polymorphic threats such as this.
- Turning on PowerShell logging on any relevant or important endpoints and disabling users’ access to PowerShell on any system not requiring the program’s use
- Utilizing the most verbose logging set-up possible and pipe those logs into your SIEM device
- Employing tools like Cylance, Tanium, or Carbon Black to mitigate some risks related to process hollowing and malicious file additions
LogRhythm customers may be sufficiently monitored for unwanted process actions by the AIE: C2: Abnormal Process Activity (may require tuning to avoid broad log captures). You may consider implementing blocks using the IOC (Indicators of Compromise) list linked below.
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.
Contact us for more information about Avertium’s managed detection and response service capabilities.