The Varonis Security Research team recently investigated an ongoing crypto mining malware infection that had spread to nearly every device at a mid-size company.
Analysis of the collected malware samples revealed a new variant, which the team dubbed “Norman” that uses various techniques to hide and avoid discovery. They also discovered an interactive web shell that may be related to the mining operators.
“Norman” The Crypto Mining Malware
Norman is an XMRig-based cryptominer, a high-performance miner for Monero cryptocurrency. Unlike other miner samples we have collected, Norman employs evasion techniques to hide from analysis and avoid discovery.
At first glance, the malware seemed to be a generic miner hiding itself as “svchost.exe.” However, the techniques it used proved to be more interesting.
The malware’s deployment can be divided into three stages:
The malware may have originated from France or another French-speaking country: the SFX file had comments in French, which indicate that the author used a French version of WinRAR to create the file.
6 Tips To Protect Your Business
- Keep all operating systems up to date. Patch management is crucial to prevent exploitations and unwanted infections.
- Monitor network traffic and web proxies. It is possible to detect and prevent a portion of attacks by blocking traffic based on malicious domains or restricting unnecessary communications.
- Use and maintain antivirus and endpoint-based solutions (but don’t let that be your only layer of defense). Endpoint products should be able to detect well-known cryptominers and prevent infections before any damages occur. Keep in mind that new variants or new evasion techniques can bypass endpoint security products.
- Monitor CPU activity on computers. Cryptominers generally use the computer’s CPU to mine. Any noticeable degradation in processing speed requires investigation.
- Monitor DNS for unusual use of dynamic DNS services (like DuckDNS). While DuckDNS and other dynamic DNS services play a legitimate role, malware’s use of DuckDNS made it easier for our teams to detect infected hosts in this investigation.
- Have an IR plan ready. Make sure you have the right procedures for similar incidents, and be capable of automatically detecting, containing, and remediating cryptominers.