According to this link: (,) A Dexphot campaign was first spotted in October 2018 affecting thousands of computers, with attackers upgrading the malware over the following months to a level that left little to analyse. The threat had a surge in mid-June this year, when it landed on tens of thousands of computers. Towards the end of the month the attacks subsided, less than 20,000 machines exhibiting Dexphot activity. By the end of July, the malware was seen on less than 10,000 machines every day.

For about a year, security researchers at Microsoft tracked the malware observing the combination of methods that let it slip through the cracks. Hackers used code obfuscation, encryption, randomised file names, and deploying malicious code in memory were some of the methods used to avoid detection.

Notify of
4 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Dan Pitman
Dan Pitman , Principal Security Architect
InfoSec Expert
November 28, 2019 1:32 pm

\”Detection of polymorphic malware and other threats that avoid traditional signature detection relies on a more behavioural analysis based approach on the endpoint and network. By monitoring for suspicious activity, such as contacting known command and control infrastructure or making requests on the network that are abnormal, the activity of a breach can be detected and the polymorphic malware found – monitoring the behaviour of the computers themselves helps to; by building a model of the normal behaviour of a system activities that abnormally use resources can be lead threat hunters to the source of infection.

Starting with educating users is the first protection, treating the root cause of infection being the best plan of attack – Equally important is putting in solutions backed by trusted experts that can detect behaviour of infections beyond traditional signature detection is a must in today’s complex threat landscape. Attackers and defenders are fighting it out with more intelligent evasion and detection techniques so the expertise and ability to evolve detection techniques is critical.\”

Last edited 3 years ago by Dan Pitman
Javvad Malik
Javvad Malik , Security Awareness Advocate
InfoSec Expert
November 28, 2019 1:30 pm

\”Comprehensive detection controls need to be in place throughout the organisation. This should be enforced with reliable and up to date threat intelligence data that can be used to identify indicators of compromise (IoCs) and ideally have an orchestrated response.

The main issue with any form of attack is learning how the attack actually makes it into the organisation and blocking it at the root. In many cases, attacks are usually successful due to social engineering, unpatched software, or a supply chain compromise. If organisations can work to address these biggest avenues, they can usually prevent most malware from being successful.

Other than threat detection and response controls, having behavioural monitoring capabilities can also help in detecting such attacks which do not follow one pattern of behaviour.\”

Last edited 3 years ago by Javvad Malik
David Kennefick
David Kennefick , Product Architect
InfoSec Expert
November 28, 2019 1:28 pm

\”There are additional complexities in detecting polymorphic threats. Its ability to change and adapt based on scenarios makes a formidable foe. Think of ED-209 vs T-1000, one is a blunt instrument and one can adapt to its scenarios. Dexphot is the T-1000 in this scenario.

In order to protect from such threats, up to date signatures in your anti-malware technology are the first step. This, combined with multi-layer checks provide a greater chance of catching this type of malware, as well as a multi-engine approach.

The aim of malware is always the same, however. Exploit a user or resource for the benefit of the attacker. This is why behaviour-based blocking is particularly successful here. If attackers wish to steal data, they\’ll have to get it out of the network, and this is a repetitive behaviour that can be analysed and addressed, leading to it ultimately being blocked at the source.\”

Last edited 3 years ago by David Kennefick
Hugo van Den Toorn
Hugo van Den Toorn , Manager, Offensive Security
InfoSec Expert
November 28, 2019 1:21 pm

\”Even for end-points the defense in-depth method applies. Such polymorphic threats are, although a technical masterpiece, hard to eradicate from your systems. In this case the sudden increase in processing utilization cause by Dexphot should be a give-away that something is wrong with an infected host. However, also on the endpoints you want to be able to prevent and/or detect the malware at any of its stages.

The best thing would be to prevent the host of becoming infected. Either by having an Internet proxy, or local ‘safe-browsing’ solution the prevents the user from downloading anything from malicious locations. Should the installer still make its way onto the system, the antivirus solution on the device should detect it. If due to its polymorphic nature the initial installer not be detected, then throughout the malware’s various stages one of the executables or system calls utilized should raise an alert. If all would fail, which is realistic when facing a newly developed malware threat. The endpoint should, once the malware is executed and goes into its ‘operational state’ detect the unusual behavior. If a user always uses a browser and Word processor, and all of a sudden the user start mining virtual currencies, the system would alert or even quarantine the involved processes and files.

However, should such polymorphic malware make its way through your lines of defenses the effective remediation is often very difficult. You can compare it to a three-headed hydra, if you cut off one head it grows back multiple others. In this case, if your anti-virus would remove one of the files because it thinks its malicious but does not remove the others. Chances are the malware would execute itself again, change its appearances and persist on its host system.\”

Last edited 3 years ago by Hugo van Den Toorn
Would love your thoughts, please comment.x