Norman the Cryptominer uses sophisticated techniques to avoid discovery
Researchers at Varonis have released information on a new cryptominer variant, which the team has dubbed 'Norman', that uses various techniques to hide and avoid discovery.
Norman was discovered during investigations of an ongoing cryptomining infection that had spread to nearly every device at a midsize company.
Almost every server and workstation at the business was infected and since the initial infection, which took place over a year ago, the number of variants and infected devices had grown. Most of the malware variants relied on DuckDNS (a free, Dynamic DNS service). Some needed it for command and control communications, while others used it to pull configuration settings or to send updates.
Norman is an XMRig-based cryptominer, a high-performance miner for the Monero cryptocurrency. At first glance, the malware seemed to be generic mining malware hiding itself as 'svchost.exe'. However, the techniques the malware used proved to be more interesting, with its deployment divided into three stages: execution, injection and mining. Once running, the malware is designed to avoid detection by terminating the miner when a user opens Task Manager, making it hard to spot its processes.
During their investigation, Varonis' forensics specialists also uncovered a mysterious PHP shell transmitting to a command and control server. Closer investigation showed this to use encryption for the commands and output that it sends and receives. The researchers have found no clear evidence which connects the cryptominers to the interactive PHP shell. However, they have strong reason to believe they originate from the same threat actor.
"The investigation began during an evaluation of our Data Security Platform, which quickly raised several suspicious network-related alerts for abnormal web activity alongside correlated abnormal file activities," says security researcher Eric Sagara writing on the Varonis blog. "The customer quickly realized the devices flagged by the Varonis platform belonged to the same users who had reported recent unstable applications and network slowdowns."
Tips to protect your machine from falling victim to a Norman conquest include making sure software is kept up to date and monitoring network traffic and abnormal data access.
You can get to know Norman better on the Varonis blog.