2 Robert Speck Parkway, Suite 298 Mississauga ON
+1 888 366 4443

How The Dexphot Malware Evolves To Avoid Detection

IT Services & IT Solutions Mississauga & Toronto

How The Dexphot Malware Evolves To Avoid Detection

Dexphot is a malware that has raised concern over its complex strategy of avoiding detection.

First detected in October 2018, Dexphot is a strain cryptojacking malware. Cryptojacking malware is defined by its main goal of secretly hijacking computer resources in order to generate digital currencies for the cyberattacker. The victim’s computer suffers slowdowns, and is at risk of overheating due to overuse of computer resources. You can learn more about the impacts of cryptojacking infection in our article here.

How is Dexphot designed to avoid detection?

Microsoft states that Dexphot exploits a combination of back-end processes in order to avoid detection by antivirus software. These include PowerShell, DLL, and MSI. By exploiting these three processes, Dexphot is able to use polymorphism to exist in many different forms, making file-based detection difficult.


MSI is short for Windows Installer packages. Dexphot avoids malware detection by using hundreds of unique URLs to install the malware onto victims’ computers. According to Microsoft, over 200 URLs that have been used to download Dexphot have been identified.

Furthermore, Dexphot is able to detect the presence of antivirus software during infection. If it discovers that antivirus is installed, it automatically stops the installation process.


DLL, or Dynamic Link Libraries, is a useful process that helps with code modularization, and efficient use of computer resources. However, malware such as Dexphot can exploit DLL to hide their malicious activity.

After installation, Dexphot exploits DLL in order to unpack 3 malicious files onto the victim’s computer. 2 of these files monitor and protect the 3rd file, which executes the cryptojacking.

These 3 malicious files use a technique called “hollowing” in order to avoid detection. This involves hijacking legitimate processes and hiding malicious code in otherwise legitimate code execution. Specifically, Dexphot hijacks the processes svchost.exe, nslookup.exe, and setup.exe files in SysWoW6.

What is PowerShell?

PowerShell is a tool that is pre-installed in Windows operating systems. Its purpose is executing code, often directly from computer memory without using the disk. The danger of malware abusing PowerShell is that exploits can leave little to no evidence, making it both difficult to detect and to trace.

Dexphot exploits PowerShell in the event that it is ever compromised by antivirus software. If this occurs, Dexphot will initiate a self-termination and reinfection process that relies on PowerShell.

Microsoft states that its new Defender Advanced Threat Protection uses behaviour based detection in order to detect malware such as Dexphot. As described above, Dexphot is difficult to detect using a file-based detection strategy, as it can appear in many forms.

Don’t fall victim to malware like Dexphot. Contact us at +1 888 366 4443 or info@gige.ca to learn more about how to protect yourself.


%d bloggers like this: