The Dexphot malware is a rather sophisticated cryptocurrency miner, which is programmed to target machines that run Windows. Threats of this type usually operate in a very similar manner – they infect a host and then use the computing power of the system to mine cryptocurrency, which is transferred to the operators of the miner. The Dexphot threat first got on the radar of malware researchers back in 2018, but its activity has been increasing gradually, reaching a culmination point in June 2019. According to reports, in June of this year, the Dexphot miner had compromised more than 90,000 systems around the glob allegedly.
Staying Under the Radar of Users and Analysts
The authors of the Dexphot miner have put a lot of effort into making sure that this threat remains undetected by their victims. This is achieved via functioning in a fileless mode – the Dexphot miner would first place its files on the infiltrated host and then move them to the memory of the system, making it far less likely to leave any traces of threatening activity. That not only makes it far less likely for the victim to spot the threat but also makes the job of malware analysts much tougher. Furthermore, the creators of the Dexphot miner also have implemented a technique called 'living-off-the-land' that enables the threat to inject its code in Windows processes that are legitimate and operate via them. In addition to this, the Dexphot cryptocurrency miner is designed to operate in a polymorphic manner. This means that to avoid being spotted by cybersecurity tools and applications, the Dexphot miner makes sure to change signatures, URLs and names on a regular basis. Anti-malware tools often rely on detecting patterns when looking for threats, and the Dexphot miner uses its polymorphic nature to confuse any anti-virus application that may be present on the compromised host.
Once the Dexphot cryptocurrency miner has infiltrated a system, it will make sure to tamper with the Windows Registry keys to gain persistence. This threat also would ensure that it is being run every time the users reboot their systems by scheduling various tasks. The tasks in question can serve different purposes – thanks to them, the Dexphot miner can update itself and also reinfect the host even if the threat gets wiped off the compromised computer. The latter goes to show how much effort the authors of the Dexphot miner put into the persistence of this threat as not many creators of cryptocurrency miners go this far.
Uses the Victims Hardware to Mine Cryptocurrency
Despite its impressive functionality when it comes to gaining persistence and operating silently, the Dexphot miner, in its essence, is rather basic and not too different from most threats of this kind. Malware researchers speculate that the Dexphot miner is being delivered as a second-stage payload on the compromised host, but this theory is yet to be confirmed. Once the miner has been planted on the targeted system successfully, the Dexphot threat would begin mining cryptocurrency using the victim's hardware. This may not only lead to performance issues, but it also is likely to shorten the lifespan of the system if the Dexphot miner runs for a long duration of time.
The Dexphot cryptocurrency miner is a rather interesting threat that has managed to infect an impressive number of systems. Despite having an approximate number of victims, we cannot say how much money the authors of the Dexphot miner have cashed in so far. To have your system safe from threats like the Dexphot, make sure to download and install a legitimate anti-malware security suite, and do not forget to update all your software regularly.
Do You Suspect Your PC May Be Infected with Dexphot & Other Threats? Scan Your PC with SpyHunterSpyHunter is a powerful malware remediation and protection tool designed to help provide PC users with in-depth system security analysis, detection and removal of a wide range of threats like Dexphot as well as a one-on-one tech support service. Download SpyHunter's FREE Malware Remover
Security Doesn't Let You Download SpyHunter or Access the Internet?Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
- Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
- Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
- Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
- IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.