Stealthy Crypto-Miner “Norman” Discovered By Security Analysts

Stealthy Crypto-Miner “Norman” Discovered By Security Analysts

Last Updated: 13th August, 2022

Norman: Security analysts discovered a new kind of Stealthy Cryptocurrency Mining Malware (Stealthy Crypto-Miner) that is being used as a component of an attack that infected nearly a whole organization.

After being notified of unstable applications and network slowdowns in a client organization, security firmVaronis decided to investigate further.


Handling ‘Non’ Security Incident Protocols With Security Tools

Malware infected nearly every server and workstation. Most of them were generic cryptominer variations. Many were applications for password dumping, some were invisible PHP shells and some had been around for several years,” they explained in a blog post.

Out of all the Stealthy Crypto-Miner samples that we found, one stood out. We termed it ‘Norman.’

Norman is a high-performance miner of Monero currency that differed from many of the other samples discovered in its sophisticated attempts to stay hidden.


Five 2021 Cyber-Threats To Watch Out In Cybersecurity Landscape

Unusually, it is compiled with Nullsoft Scriptable Install System (NSIS), an open source system usually employed to create Windows installers. “The injection payload is designed to execute a cryptocurrency miner and stay hidden“, said Varonis.

It avoids detection by terminating the miner function when the Task Manager is opened by a curious user. Once closed, it will re-inject the miner and start again.

The miner itself is XMRig, obfuscated in the malware by UPX and injected into either Notepad or Explorer depending on the execution path.

Varonis believes the cryptocurrency mining, malware it discovered could be linked to a PHP shell it found in the victim organization continually connecting to a command-and-control (C2) server. Like Norman, the PHP shell used DuckDNS for C2 comms.


UNICEF Leaks 8000 Online Learners Personal Data

Any of the malware specimens had lateral movement capacities, although they spread across different applications and segments of the network.” the firm explained. “Though the threat actor could have infected each host individually (perhaps via the same vector used in the initial infection), using PHP-Shell to move laterally and infect other applications in the victim’s network might have been more effective.

However, it also claimed there were no coding similarities between the two, or communications capabilities between the crypto-mining malware and PHP shell.


IAM: Has Identity And Access Management Models Become A Despondency In Businesses?

The malware authors could be French speaking, given the language was present in some of the code.

Varonis urged firms worried about crypto-jacking to: keep operating systems up-to-date; monitor network traffic and web proxies; maintain anti-virus on endpoints; keep an eye on DNS and CPU activity; and have an incident response plan ready and tested.

, , , , , , , , , , , , ,
Previous Post
Information Security: Objectives, Types, And Applications Simplified
Next Post
Formjacking Now Reports Most Of Web Data Breach Infringements

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.
You need to agree with the terms to proceed