Microsoft's security experts have just identified a new type of cryptocurrency miner that has infected almost 80,000 Windows computers since October.
According to them, the miner, dubbed Dexphot, infected all these devices in June 2019. Experts believe Dexphot uses more complex mechanisms than conventional cryptojacking programs: fileless techniques, polymorphism and persistence mechanisms.
Dexphot has been running on computers previously infected with the ICLoader virus.
In order to run its malicious code, the malware uses internal Windows processes, such as msiexec.exe, unzip.exe, rundll32.exe, schtasks.exe and powershell.exe, which makes the identification of the malware a really difficult task as it cannot be distinguished from other local applications.
Hackers using Dexphot change the file names and URLs used in the infection process every 20-30 minutes to make the identification of the miner more complex.
Even though Dexphot always uses some kind of crypto miner, it is not always the same one. The malware used different programs such as XMRig and JCE Miner throughout the research.
In addition, Dexphot can reactivate itself if it is detected by an antivirus software as it is updated every 90-110 minutes or every time the system is rebooted.