Home Malware Programs Malware Dexphot

Dexphot

Posted: November 27, 2019

Dexphot is a Trojan botnet that mines cryptocurrency by exploiting infected Windows PCs' system resources. Although its goal is a conventional one, Dexphot is evasive exceptionally and includes anti-AV checks, memory injection, and multiple means of reinstalling itself or updating itself. Users should be careful of expunging all elements of infections, especially and deleting Dexphot through appropriate anti-malware tools.

A Trojan Network with Shifty Steps but Steady Motives

Since the summer of 2019, a botnet exhibiting polymorphic tendencies is active and surging in infecting victims for the sake of cryptocurrency. While Dexphot's numbers are lower than in June, thanks to updated security databases, it remains alive and fulfilling its purpose of making money through hijacked hardware. To do so, it takes advantage of a 'grab bag' of many of the most advanced techniques in detection evasion-oriented programming.

Dexphot's polymorphism isn't unique to it; readers might find similar tales from campaigns like those of the espionage backdoor Trojan, VBShower, or the far older Sality. This trait lets Dexphot adjust some of its indicators-of-compromise or IOCs periodically, such as changing URLs for its C&Cs or file names on any local components. It can do so roughly every half hour to an hour, including updating itself with new anti-security features.

Besides the flexibility of this feature, malware researchers also outline others worthy of noting in Dexphot's botnet. Dexphot infections can:

  • Reinstall themselves through Scheduled Tasks and redundant processes.
  • Use process-hollowing for running without dropping files on the PC.
  • Use living-off-the-land techniques that hijack Windows applications for threatening purposes.

These techniques, while often parts of state-sponsored hacking operations, are rare to see in 'for-profit' ones like Dexphot's botnet. However, Dexphot's payload's purpose is generating cryptocurrency, just like Norman or the MassMiner worm, which makes it evident that enterprising career criminals are taking over the strategies fostered by more professional and well-funded campaigns.

Pinning Down Trojans with Mercurial Features

Surprisingly, Dexphot's installation methods are one of the steadier aspects of its campaign that the average user might detect and avoid. Dexphot Trojans are circulating with the aid of another Trojan, ICLoader, which can drop Dexphot or another threat for the second-stage infection. Typically, the users expose themselves to ICLoader by downloading illicit files (such as movies or game cracks) or freeware from a disreputable peer-to-peer network or a website.

Since countermeasures by Microsoft and other cyber-security entities, the rate of growth in Dexphot's botnet is slower than in its heyday in earlier 2019. Despite infections counts being lower than ever, Dexphot maintains a presence in the wild and appears to be targeting Windows users semi-indiscriminately. Victims should react to infections promptly due to the always-possible risk of hardware damage from non-consensual mining programs.

Users with anti-malware protection can benefit from it in two ways. Firstly, Dexphot's installer checks for notable brands of anti-malware services and avoids installing the Trojan in such cases. Secondly, such tools may remove Dexphot as necessary after infection occurs.

Dexphot is a snapshot of many of the hottest strategies and techniques at work in Black Hat programming today. The fact that it doesn't need a government's help to stay under the radar is a troubling development for everyone – except the self-enriching criminals.

Loading...