Dexphot Malware is Infecting Thousands of Computers

With the holidays fast approaching, everyone is looking for a way to make a few extra dollars. However, some of us are doing it in a less than legal way, making the holidays tougher for others. Dexphot has been on a crime spree as of late, infecting upwards of 80,000 computers with cryptocurrency miners. The good news is that its crime spree, since 2018, has begun to decline.

 What is Dexphot?

Considered to be unnecessarily complex for its task, Dexphot is a malware strain that uses your machine to mine for cryptocurrency. Its complexity lies within its ability to hide from security solutions. According to Microsoft, Dexphot uses “obfuscation, encryption and the use of randomized file names [to hide] the installation process.” As well as being designed to “fly under the radar”, through hijacking legitimate system processes, Dexphot was also designed to reinstall itself, should its location within the victim’s machine become compromised.

How Dexphot Spreads

Microsoft describes Dexphot as a second-stage payload – a type of malware that is dropped on systems already infected with other malware. The most common of these malware strains which assist Dexphot’s ability to spread was ICLoader, “a malware strain that’s usually side-installed as part of software bundles, without the user’s knowledge, or when users download and install cracked or pirated software,” says ZDnet.com. Once infected with ICLoader, Dexphot would then be remotely installed on the victim’s computer, further compromising the machine. Once inside, Dexphot would use legitimate Windows system processes to avoid detection from antivirus solutions. But that is not the only ace Dexphot has up its sleeve. Through a technique called polymorphism, Dexphot would be able to change used file names and URLs in regular intervals, making it extremely hard for traditional antivirus solutions to lock onto the virus.

Another sneaky technique used by Dexphot was its ability to reinstall itself on the victim’s machine. Not only did this serve as a safeguard to avoid deletion, but it also means that the attackers could update the malware and have the updated version automatically installed on the victim’s machine, helping to further its ability to avoid detection.

How to Stay Safe From Cryptocurrency Miners

As unfortunate as it is, malware like Dexphot is more common then you may think. Cryptocurrency miners are a common malware cybercriminals install on machines so that they can generate revenue. These kinds of malware work in the background, generating revenue while you use your computer. Thankfully, there is hope when it comes to Dexphot. Microsoft, through their Microsoft Defender Advanced Threat Protection, is able to detect and stop viruses like Dexphot before they become an issue.

As always, if you are worried about your company’s virus protection contact Hammett Technologies. We ensure all your technology needs are met. If you have any questions regarding anything above, please feel free to give us a call. We are happy to assist you, or your company, with all your cybersecurity needs! To learn more about what we can do to assist your company, visit our What We Do page!