Last Updated: 12th September, 2019
Norman: Security analysts discovered a new kind of Stealthy Cryptocurrency Mining Malware (Stealthy Crypto-Miner) that is being used as a component of an attack that infected nearly a whole organization.
After being notified of unstable applications and network slowdowns in a client organization, security firmVaronis decided to investigate further.
“Malware infected nearly every server and workstation. Most of them were generic cryptominer variations. Many were applications for password dumping, some were invisible PHP shells and some had been around for several years,” they explained in a blog post.
“Out of all the Stealthy Crypto-Miner samples that we found, one stood out. We termed it ‘Norman.’”
Norman is a high-performance miner of Monero currency that differed from many of the other samples discovered in its sophisticated attempts to stay hidden.
Unusually, it is compiled with Nullsoft Scriptable Install System (NSIS), an open source system usually employed to create Windows installers. “The injection payload is designed to execute a cryptocurrency miner and stay hidden“, said Varonis.
It avoids detection by terminating the miner function when the Task Manager is opened by a curious user. Once closed, it will re-inject the miner and start again.
The miner itself is XMRig, obfuscated in the malware by UPX and injected into either Notepad or Explorer depending on the execution path.
Varonis believes the cryptocurrency mining, malware it discovered could be linked to a PHP shell it found in the victim organization continually connecting to a command-and-control (C2) server. Like Norman, the PHP shell used DuckDNS for C2 comms.
“Any of the malware specimens had lateral movement capacities, although they spread across different applications and segments of the network.” the firm explained. “Though the threat actor could have infected each host individually (perhaps via the same vector used in the initial infection), using PHP-Shell to move laterally and infect other applications in the victim’s network might have been more effective.”
However, it also claimed there were no coding similarities between the two, or communications capabilities between the crypto-mining malware and PHP shell.
The malware authors could be French speaking, given the language was present in some of the code.
Varonis urged firms worried about crypto-jacking to: keep operating systems up-to-date; monitor network traffic and web proxies; maintain anti-virus on endpoints; keep an eye on DNS and CPU activity; and have an incident response plan ready and tested.