In October of 2018, Microsoft detected a new threat attempting to deploy files on thousands of devices that could change every 20-30 minutes. Dexphot, as Microsoft called it, used a variety of methods to evade detection including obfuscation, encryption and randomized file names upon installation. It even used some “fileless” techniques to run code directly from memory while injecting into legitimate processes on the victim machine. Dexphot’s end goal was to abuse victim computers’ CPU resources to mine cryptocurrency. Dexphot used services and scheduled tasks to monitor itself so it could be restarted if anything attempted to stop or remove it. At its peak in June 2019, Dexphot was running on almost 80,000 devices.
By: Dan McNemar It is not a new concept that criminals use the Darknet to