Level 5
Malware that Microsoft has been tracking for over a year has been leveraging numerous techniques for evasion, including random file names, fileless installation, and polymorphism.

Microsoft, which calls the malware Dexphot, noticed that it attempted to deploy files that changed two or three times per hour. Targeting thousands of devices, the polymorphic malware was running code directly in memory and hijacking legitimate system processes to evade detection.

Large-scale at first, the campaign dropped in intensity over time, and only a few machines still encounter Dexphot-related malicious behavior.

Dexphot’s infection process starts with the writing of five files to disk: an installer with two URLs, an MSI file, a password-protected ZIP archive, a loader DLL extracted from the archive, and an encrypted data file containing three additional executable s.