Dexphot Trojan

First observed in October 2018, Dexphot is a polymorphic trojan sold on hacking forums and dark web sites.

Threat ID:: CC-3299
Category:: Trojan
Threat Severity:: Low
Threat Vector:: Download
Published:: 28 November 2019 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

First observed in October 2018, Dexphot is a polymorphic trojan sold on hacking forums and dark web sites.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - All versions

Threat details

Dexphot is delivered by an unidentified dropper, which is itself distributed as a hidden package within legitimate applications hosted through third-party sites. When executed, this dropper will connect to a URL to download a batch script, an MSI file, and an encrypted data file. The batch script is then used to check for the presence of several anti-virus products, before the MSI file containing Dexphot is executed.

Once installed, Dexphot will decrypt the data file and install, using process hollowing, a cryptocurrency mining module on the affected system. Interestingly, Dexphot will use several well-known miners, cycling between each whenever the system re-boots.

Remediation steps

Type	Step
	To prevent and detect a trojan infection, ensure that: A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. All operating systems, anti-virus and other security products are kept up-to-date. Regular anti-virus and security scans are performed on your organisation’s estate. All day-to-day computer activities such as email and internet are performed using non-administrative accounts. Strong password policies are in place. Network, proxy and firewall logs should be monitored for suspicious activity. User accounts accessed from affected devices should be reset on a clean computer. Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Type

Step

To prevent and detect a trojan infection, ensure that:

A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
All operating systems, anti-virus and other security products are kept up-to-date.
Regular anti-virus and security scans are performed on your organisation’s estate.
All day-to-day computer activities such as email and internet are performed using non-administrative accounts.
Strong password policies are in place.
Network, proxy and firewall logs should be monitored for suspicious activity.
User accounts accessed from affected devices should be reset on a clean computer.
Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Last edited: 14 February 2020 2:58 pm