In October of 2018, Microsoft detected a new threat attempting to deploy files on thousands of devices that could change every 20-30 minutes. Dexphot, as Microsoft called it, used a variety of methods to evade detection including obfuscation, encryption and randomized file names upon installation. It even used some “fileless” techniques to run code directly from memory while injecting into legitimate processes on the victim machine. Dexphot’s end goal was to abuse victim computers’ CPU resources to mine cryptocurrency. Dexphot used services and scheduled tasks to monitor itself so it could be restarted if anything attempted to stop or remove it. At its peak in June 2019, Dexphot was running on almost 80,000 devices.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased