Security researchers have recently uncovered a new and stealthy variant of cryptocurrency mining malware that was used in a widespread attack on an entire organization. The discovery was made after the organization reported issues with unstable applications and network slowdowns, prompting security firm Varonis to conduct a thorough investigation.
Upon analyzing the infected systems, Varonis found that almost every server and workstation within the organization had been compromised by various types of malware. While most of the infections were generic cryptominers, one particular sample stood out and was named ‘Norman’ by the researchers.
Norman is a highly sophisticated Monero currency miner that sets itself apart from other malware samples due to its advanced evasion techniques. It is compiled using the Nullsoft Scriptable Install System (NSIS), a tool typically used for creating Windows installers. The malware payload is designed to run the cryptocurrency miner discreetly and evade detection by terminating its functions when the Task Manager is opened, only to restart once the Task Manager is closed.
The miner itself, XMRig, is obfuscated within the malware using UPX and injected into either Notepad or Explorer depending on the execution path. Varonis also discovered a PHP shell within the victim organization that was continuously connecting to a command-and-control (C2) server using DuckDNS for communication, potentially linked to the cryptocurrency mining malware.
Although there were no direct coding similarities or communication channels between the two, Varonis suspects that the threat actor behind the attack could be French-speaking based on language clues found in the code.
To protect against similar crypto-jacking attacks, Varonis recommends organizations to keep their operating systems up-to-date, monitor network traffic and web proxies, maintain anti-virus software on endpoints, monitor DNS and CPU activity, and have a well-tested incident response plan in place.
By staying vigilant and implementing these security measures, organizations can mitigate the risk of falling victim to stealthy cryptocurrency mining malware like Norman and protect their valuable resources from exploitation.