Varonis, a data security and analytics company, has discovered new strains of cryptojacking malware that hijacks a victim’s computer resources to mine monero (XMR), and a mysterious web shell while investigating the cause of a cryptomining infection for a client. Notable among the detected malware, is Norman, a stealthy Monero cryptojacking exploit that uses evasion techniques to disguise itself, according to a blog post on August 14, 2019.
Cryptomining Malware Cripples Servers and Workstations
Per the blog post, while carrying out investigations regarding a cryptomining infection on the systems of one of its clients, the Varonis research team discovered that almost all the victim’s servers and workstations had been hijacked by a new cryptomining malware, resulting in system slowdowns and unstable applications.
The researchers decided to conduct a manual scanning of the company’s servers and workstations using the Varonis Data Security Platform and they further discovered a large-scale malware which was mostly generic variants of cryptominers, as well as password dumping tools, PHP shells and more.
Malware Relies on DuckDNS
The team has revealed that a majority of the malware relied on DuckDNS, a Dynamic DNS service that was either employed by the cyberattack for command and control (C&C) communications, to retrieve configuration settings, or to send messages.
However, a certain malware named Norman stood out from the crowd, due to its ability to evade detection.
Varonis says Norman is an XMRig-based cryptominer that has three major phases of deployment: the execution, injection, and mining stages.
In the execution stage, it adopts Nullsoft Scriptable Install System (NSIS), an open-source script-driven tool that is also used in creating Windows installers.
On the contrary, Norman injects a payload to an NSIS script file (svchosts.exe) in the injection phase and then chooses a different execution path to launch various processes depending on whether it is operating on a 32 bit or 64 bit Windows OS.
Another interesting thing about Norman is its ability to seamlessly adapt images and product names that are synonymous with legitimate ones such as the original PHP icon and Microsoft© .Net Framework, in a bid to evade detection.
Further investigation of Norman revealed that it must have originated from France or another French-speaking country because the cybercrime actor behind the act used the WinRAR file in French to create the SFX file.
Similarly, some of the code’s variables and functions were written in French, which led to Varonis’ conclusion of the cyberattack’s origin.
Importantly, companies have been advised to keep their software and operating systems updated, monitor abnormal data access, use a firewall or proxy to check network traffic.
In related news, BTCManager informed on February 7, 2019, of a cryptojacking malware that targets Linux and IoT devices to mine XMR.