Malware that Microsoft has been tracking for over a year has been leveraging numerous techniques for evasion, including random file names, fileless installation, and polymorphism.
Microsoft, which calls the malware Dexphot, noticed that it attempted to deploy files that changed two or three times per hour. Targeting thousands of devices, the polymorphic malware was running code directly in memory and hijacking legitimate system processes to evade detection.
Large-scale at first, the campaign dropped in intensity over time, and only a few machines still encounter Dexphot-related malicious behavior.
Dexphot’s infection process starts with the writing of five files to disk: an installer with two URLs, an MSI file, a password-protected ZIP archive, a loader DLL extracted from the archive, and an encrypted data file containing three additional executables.
The malware abuses numerous legitimate system processes during execution, such as msiexec.exe, unzip.exe, rundll32.exe, schtasks.exe, and powershell.exe in early stages, and svchost.exe, tracert.exe, and setup.exe in later stages.
The Dexphot installer is dropped and executed by SoftwareBundler:Win32/ICLoader and its variants. The installer then leverages two URLs to fetch malicious payloads (the same URLs are later used for persistence, updates, and re-infection).
An MSI package is downloaded from one URL and msiexec.exe used for a silent install. A batch script in Dexphot’s package is first executed when the installation process starts, to check for antivirus products.
The malware checks for the presence of antivirus products from Avast and AVG, as well as for Windows Defender Antivirus, and the infection is halted if such an application is found.
Otherwise, the password-protected ZIP archive is decompressed to extract the loader DLL, an encrypted data file and an unrelat ..
Support the originator by clicking the read the rest link below.
