Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:15 AM
Larry Loeb
Larry Loeb
Larry Loeb

ATP Rises to the Polymorphic Malware Challenge

The Microsoft Defender ATP Research Team has begun to discuss a polymorphic threat, Dexphot, that it has been tracking for over a year.

The Microsoft Defender ATP Research Team has begun to discussa polymorphic threat (“Dexphot”) that it has been tracking for over a year.

ATP first picked it up when it attempted to deploy files that changed every 20-30 minutes on thousands of devices. They found that there were layers of obfuscation, encryption and the use of randomized file names hiding the installation process. It then used fileless techniques to run malicious code directly in memory, which makes analysis harder.

Dexphot has as its goal to put a cryptocurrency miner on the victim, along with monitoring services and scheduled tasks that will trigger re-infection if the defenders attempt to remove the malware.

Because of the convoluted activity of the malware, ATP says that behavior-based machine learning models were used to detect and block the threat. Due to the persistence mechanisms, polymorphism, and use of fileless techniques, behavior-based detection was a "critical component."

ATP's telemetry told it that SoftwareBundler:Win32/ICLoader and its variants were the primarily methods used to drop and run the Dexphot installer. There are two URLs used to download the malicious payload, and these are later used to establish persistence, update the malware, and re-infect the device. The URLs used for hosting all follow a similar pattern. The domain address usually ends in a .info or .net TLD, while the file name for the actual payload consists of random characters.

Dexphot halts the infection process immediately if an antivirus product is found running. As time went on, additional products were added to this abort list which shows how the malware changed.

Once installed, the payloads are run by loading them into other system processes via "process hollowing." This is when malware replaces the contents of a legitimate process with malicious code.

ATP found that memory scans could detect and terminate the loading of malicious code hidden by process hollowing -- including the monitoring processes that attempt to update the malware code and re-infect the machine via PowerShell commands.

This is needed since Dexphot regularly checks up on itself. If any of the malware processes are terminated, the monitors immediately identify the situation, terminate all remaining malicious processes, and re-infect the device. These monitors will automatically update all of Dexphot's components, both upon system reboot as well as every 90 or 110 minutes while the system is running.

Dexphot exhibits multiple layers of polymorphism across the binaries it distributes, so a traditional file-based detection approach would not be effective against it.

Dexphot is a great example of the level of complexity and rate of evolution that is happening even in "mundane" threats. These kinds of malware are intent on evading protections and motivated to fly under the radar for the prospect of profit.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...