80,000 computers around the world have been hijacked for mining: Disguise technology is extremely advanced, and they will be repeatedly installed

Source: IT Home

Microsoft has published an alert detailing a new malware variant called Dexphot that has infected more than 80,000 devices since it was first discovered in 2018.

It is reported that hackers mainly use Dexphot to mine cryptocurrencies, not to steal data. Although the virus is relatively harmless, the methods used are very complex, allowing it to evade detection by traditional security tools. One of its techniques is polymorphic camouflage, which can constantly change its footprint on the computer, changing it every 20-30 minutes. It can also reinstall itself to ensure that there is enough time for mining.

Dexphot writes five key files to disk, including an installer with two URLs; an MSI package downloaded from one of the URLs as a password-protected zip file; a loader DRL extracted from the archive; and an encrypted data file where three additional executables are loaded into system processes.

"Besides the installer, other processes that run during execution are legitimate system processes. This can make detection and remediation more difficult," researchers noted. "In later stages, Dexphot targets several other system processes for hollowing, including svchost.exe, tracert.exe, and setup.exe."

Currently, Microsoft has deployed relevant strategies to improve detection rates and prevent attacks, and the number of infected devices has slowly decreased. As of July 31 this year, it has been less than 10,000.