Dexphot

The Dexphot malware is a rather sophisticated cryptocurrency miner, which is programmed to target machines that run Windows. Threats of this type usually operate in a very similar manner – they infect a host and then use the computing power of the system to mine cryptocurrency, which is transferred to the operators of the miner. The Dexphot threat first got on the radar of malware researchers back in 2018, but its activity has been increasing gradually, reaching a culmination point in June 2019. According to reports, in June of this year, the Dexphot miner had compromised more than 90,000 systems around the glob allegedly.

Staying Under the Radar of Users and Analysts

The authors of the Dexphot miner have put a lot of effort into making sure that this threat remains undetected by their victims. This is achieved via functioning in a fileless mode – the Dexphot miner would first place its files on the infiltrated host and then move them to the memory of the system, making it far less likely to leave any traces of threatening activity. That not only makes it far less likely for the victim to spot the threat but also makes the job of malware analysts much tougher. Furthermore, the creators of the Dexphot miner also have implemented a technique called 'living-off-the-land' that enables the threat to inject its code in Windows processes that are legitimate and operate via them. In addition to this, the Dexphot cryptocurrency miner is designed to operate in a polymorphic manner. This means that to avoid being spotted by cybersecurity tools and applications, the Dexphot miner makes sure to change signatures, URLs and names on a regular basis. Anti-malware tools often rely on detecting patterns when looking for threats, and the Dexphot miner uses its polymorphic nature to confuse any anti-virus application that may be present on the compromised host.

Gaining Persistence

Once the Dexphot cryptocurrency miner has infiltrated a system, it will make sure to tamper with the Windows Registry keys to gain persistence. This threat also would ensure that it is being run every time the users reboot their systems by scheduling various tasks. The tasks in question can serve different purposes – thanks to them, the Dexphot miner can update itself and also reinfect the host even if the threat gets wiped off the compromised computer. The latter goes to show how much effort the authors of the Dexphot miner put into the persistence of this threat as not many creators of cryptocurrency miners go this far.

Uses the Victims Hardware to Mine Cryptocurrency

Despite its impressive functionality when it comes to gaining persistence and operating silently, the Dexphot miner, in its essence, is rather basic and not too different from most threats of this kind. Malware researchers speculate that the Dexphot miner is being delivered as a second-stage payload on the compromised host, but this theory is yet to be confirmed. Once the miner has been planted on the targeted system successfully, the Dexphot threat would begin mining cryptocurrency using the victim's hardware. This may not only lead to performance issues, but it also is likely to shorten the lifespan of the system if the Dexphot miner runs for a long duration of time.

The Dexphot cryptocurrency miner is a rather interesting threat that has managed to infect an impressive number of systems. Despite having an approximate number of victims, we cannot say how much money the authors of the Dexphot miner have cashed in so far. To have your system safe from threats like the Dexphot, make sure to download and install a legitimate anti-malware security suite, and do not forget to update all your software regularly.