Microsoft shared details of a pernicious malware targeting cryptocurrencies that infected nearly 80,000 computers.

On Tuesday, the Microsoft Defender ATP Research Team published a blog post revealing the details of a malware that broke out in 2018. The malware, called Dexphot, uses an array of sophisticated methods to bypass computer security and install a miner that steals crypto-assets of the infected device.

"Dexphot is not the type of attack that generates mainstream media attention; it's one of the countless malware campaigns that are active at any given time. Its goal is a very common one in cybercriminal circles — to install a coin miner that silently steals computer resources and generates revenue for the attackers," the team wrote.

The research team at Microsoft described how the malware utilized "layers of obfuscation, encryption, and the use of randomized file names" that enabled it to obscure the process of installing the miner. And if not prevented, removing the malware with monitoring and scheduled tasks will only trigger re-infection.

Stopping Dexphot

Cases of Dexphot's malicious behaviors have dwindled since it peaked at 80,000 in June of this year. Since then, Microsoft was able to contain infected devices to below 10,000 by July.  

The Defender team used the pre-execution detection engines of Microsoft Defender Advanced Threat Protection to block out Dexphot and used behavior-based machine learning models in cases where the malware slips through the security platform.

Other malware

Dexphot's ultimate objective of stealing cryptos is not a fresh concept despite the advanced techniques (including "fileless" execution, polymorphic techniques, and smart and redundant boot persistence mechanisms) that Hazel Kim, a malware analyst for the Defender Research Team, highlighted.

Another crypto targeting malware that is pretty similar to Dexphot is the Stantinko botnet that has affected users in Russia, Ukraine, Belarus, and Kazakhstan. What's even more unsuspicious about the design of this malware is that it hides behind YouTube channels to install the same kind of miner that Dexphot uses to steal cryptos. Stantinko, however, only takes Monero (XMR) but has infected at least 500,000 devices.

Eset, the internet security company that reported about this virus, already informed YouTube and the video-sharing platform has taken down the suspected channels.

Bitcoin price Top six cryptocurrencies by market cap, including bitcoin, fell by between 13-23 percent in seven days. Here, an Israeli consultant trades bitcoin online in Tel Aviv, Jan. 17, 2018. Photo: JACK GUEZ/AFP/Getty Images