How to Protect Your Organization’s Network from Complex and Evolving Malware
Microsoft recently reported about Dexphot, an evolving malware (malicious software) that exhibits a level of complexity and evolution aimed at evading traditional security protections and flying under the radar of cyber defenders.
Microsoft, in its latest blog post “Insights from one year of tracking a polymorphic threat” reported that it first detected Dexphot in October 2018. On June 18, 2019 alone, the report said, computers infected by this malware reached 80,000.
According to Microsoft, while Dexphot won’t attract media attention as this malware’s goal is simply to steal the infected computers’ computing power for cryptocurrency mining to raise revenue for the attackers, this malware “exemplifies the level of complexity and rate of evolution of even everyday threats, intent on evading protections and motivated to fly under the radar for the prospect of profit”.
Evasion Techniques Used by Dexphot
According to Microsoft, legitimate system processes such as MSI, DLL and PowerShell are used by the malware Dexphot to evade traditional security protections and solutions.
MSI
MSI, which stands for Windows Installer, is an installer package file format used by Windows. According to Microsoft, the Dexphot attackers use different URLs and change these URLs every few days to host payloads such as MSI packages.
Payloads refer to the portion of the malware that performs malicious action. Microsoft said it identified so far nearly 200 unique URLs used to host payloads for Dexphot. During execution of this malware, Microsoft said an installer downloads from one of these URLs and then launch msiexec.exe to perform a silent install of a code that checks for antivirus products. The malware immediately stops the infection process once it determines that an antivirus product is running.
DLL
When the malware determines that the system isn’t running an antivirus product, it proceeds with the infection. The launched msiexec.exe runs the file rundll32.exe specifying loader DLL, Microsoft said.
DLL, which stands for dynamic link libraries, is Microsoft’s implementation of the shared library concept. According to Microsoft, DLLs are intended to promote modularization of code, code reuse and efficient memory usage. Attackers, meanwhile, can use DLL to mask their malicious actions.
In the case of the Dexphot malware, Microsoft said loader DLL is used to decrypt a data file and this decrypted data contains three executables – files used to perform various operations on a computer and, in this case, used for malicious processes. The first two executables are used to monitor services for maintaining Dexphot’s components, while the third executable is responsible for the actual cryptocurrency mining.
According to Microsoft, the Dexphot malware runs the said three executables by loading them into other system processes via the process called “hollowing”. Microsoft describes hallowing as a code injection technique that replaces legitimate code with malware. Unlike most code injection techniques, Microsoft said, hollowing adds a malicious feature to an otherwise normally running process, that is, it looks legitimate on the outside but is malicious on the inside.
The hallowing process in the Dexphot malware, in particular, “hollows out” legitimate system processes, namely, svchost.exe, nslookup.exe and setup.exe file in SysWoW6. Using the loader DLL, Microsoft said contents of these legitimate system processes are replaced by the three executables.
PowerShell
The Dexphot malware also uses legitimate system process called “PowerShell” – a tool in Windows operating system to perform a number of actions, including code execution as well as download and run executables from the internet, which can be executed from memory without touching disk. Running malicious code directly in memory leaves few traces that can be used for investigation.
In the case of the Dexphot malware, in the event any of the three malicious processes is terminated, Microsoft said, all remaining malicious processes are terminated and re-infection of the computer is initiated. The termination and re-infection processes are made possible via PowerShell command.
Polymorphism
According to Microsoft, a traditional file-based detection approach wouldn’t be effective against Dexphot as this malware exhibits multiple layers of polymorphism, that is, appearing in different forms. With Dexphot, contents of each loader DLL come in different forms and encrypted data also comes in different forms.
A different loader DLL, Microsoft said, leads to a different MSI package, with some MSI packages containing clean version of unzip.exe, a password-protected ZIP file, and a batch file, while other versions of MSI packages come without this batch file. Files used by this malware also comes in different names.
At a certain time, Microsoft said the Dexphot malware attempted to deploy files that changed every 20-30 minutes on thousands of computers. The company said that while infections of the Dexphot malware have significantly dropped, the years’ worth of observing this malware not only gives the company insights into the goals and motivations of Dexphot’s authors, but also to cyber criminals in general. All throughout the report, however, Microsoft didn’t include how Dexphot infected computers in the first place.
Preventive and Mitigating Measures Against Complex and Evolving Malware
Microsoft said several of its next-generation protection engines in Microsoft Defender Advanced Threat Protection’s antivirus component detect and stop malicious techniques, such as blocking DLLs loaded by rundll32.exe, and memory scans detect and terminate the loading of malicious code hidden by process hollowing.
Behaviour-based machine learning in Microsoft Defender Advanced Threat Protection, the company said, spots suspicious process behaviour sequences and advanced attack techniques. The company further said that running a scan via Windows Defender Antivirus prevents re-infection by removing artifacts.
Defending your network against evolving malware can be a full-time job. Let our experts minimize the exposure and help your team focus on your business. Call today (416) 920-3000 or email us at sales@genx.ca