Written by Anthony Carballo
on November 28, 2019

Security researchers at Microsoft have been tracking a new strain of cryptocurrency miner, they named it Dexphot, based on specific characteristics of the malware code. The malware has been active since October 2018. The malicious code abuse of the resources of the infected machine to mine cryptocurrency, according to the researchers it has already infected 80,000 computers worldwide.

It hijacks legitimate system processes to disguise malicious activity. If not stopped, Dexphot runs a cryptocurrency miner using the resources of the infected device.

The number of infections reached a peak in June, and the number of daily infected systems has been slowly going down.




According to Microsoft, this malware uses a variety of sophisticated methods to evade security solutions. Layers of obfuscation, encryption, and the use of randomized file names concealed the installation process. Dexphot then uses file-less techniques to run malicious code directly in memory, leaving only a few traces that can be used for forensics.

It hijacks legitimate system processes to disguise malicious activity. If not stopped, Dexphot ultimately runs a cryptocurrency miner on the device, with monitoring services and scheduled tasks triggering re-infection when defenders attempt to remove the malware.

The early stages of a Dexphot infection involve numerous files and processes. During the execution stage, the malware writes five key files to disk:

  • An installer with two URLs
  • An MSI package file downloaded from one of the URLs
  • A password-protected ZIP archive
  • A loader DLL, which is extracted from the archive
  • An encrypted data file that holds three additional executables, that are loaded into system processes via process hollowing (a technique that can hide malware within a legitimate system process).

Apart from the installer, the other processes that run during execution are legitimate Windows processes. It makes the detection and remediation more complex.

These legitimate system processes include msiexec.exe for installing MSI packages, unzip.exe to extract files from the password-protected ZIP archive mentioned above, rundll32.exe for loading the loader DLL, schtasks.exe to schedule tasks, powershell.exe for forced updates.

In later stages, Dexphot targets a few other system processes for process hollowing: svchost.exe, tracert.exe, and setup.exe.



The continued focus on using built-in Windows functions and programs allow the attackers to persist mostly unnoticed after their first bypass of security controls.

It makes Dexphot especially troublesome for defenders since the malware uses legitimate Windows processes and services for carrying out its activity.

In fact, excluding the installer that is used to drop the malware on the victim's machine, all other processes that Dexphot uses are legitimate system processes.

Malware employing such living-off-the-land tactics has become a significant and growing problem not only for organizations but also for individuals. It has been identified several legitimate processes that attackers are increasingly using to hide malicious activity, being PowerShell one of the most popular.

Dexphot exemplifies the level of complexity and rate of evolution of even everyday threats, intent on evading protections, and motivated to fly under the radar for the prospect of profit.



While this malware is not the type of attack that generates lots of media attention, it's one of the endless malware campaigns that are active in the wild. Its goal is a widespread one for cybercriminals, installing a coin miner that silently steals computer resources and generates revenue for them.

This "simple" malware reinforces our position that signature-based detection is not enough anymore. So, your typical antivirus may not be sufficient to stay safe in this connected world, if you want to be a step ahead of adversaries you need edge technology to be protected. We are passionate about two things, cybersecurity and defeat the bad guys. Our objective is to provide this edge technology, a technology that doesn't cost an arm to you.

Having a behavior detection founded on machine learning is the way to go to be able to identify this kind of threat, flagging any suspicious process, behavior sequences, or advanced attack techniques.


TTPs: Tactics, techniques and procedures

Let Us Know What You Thought about this Post.

Put your Comment Below.

You may also like:

Vulnerability Threat report

CryptoAPI Spoofing Vulnerability, Windows flaw discovered by the NSA

Microsoft released patches addressing 49 vulnerabilities as part of their monthly Patch Tuesday announcement. Among the ...

Vulnerability Threat report

Linux bug – Adversaries can hijack your VPN connection

Security testers from the University of New Mexico discovered a vulnerability, tracked as CVE-2019-14899, that can be ex...


Android Vulnerability - NFC exploitation

It was found in Android OS versions 8.0 & higher that the security warning message to install external apps does not pro...