Microsoft security engineers talked about a new kind of crypto-miner Dexphot, which since October 2018 has infected almost 80,000 computers running Windows.
The malware reached its peak in June 2019.
Microsoft experts emphasized the rather high level of complexity of the new crypto-jacking program. It uses file-free execution, a polymorphism method, as well as intelligent and redundant load preservation mechanisms.
Dexphot spreads to computers that were previously infected by the ICLoader malware and runs in the computer's memory.
To execute the malicious code, the program uses internal Windows processes, such as msiexec.exe, unzip.exe, rundll32.exe, schtasks.exe and powershell.exe, which makes it indistinguishable from other local applications.
Every 20-30 minutes, Dexphot operators change the file names and URLs used during the infection process, which also complicates the detection of the miner, while Dexphot uses various cryptocurrency miners, for example, XMRig or JCE Miner.
The software also can recover from a backup, every 90 or 110 minutes, if any of its parts were detected by the antivirus.
With the help of measures taken by Microsoft, infections by the Dexphot miner have been significantly reduced in recent months.