Security researchers have found a stealthy new cryptocurrency mining malware variant which was used as part of an attack that infected almost an entire organization.
After being notified of unstable applications and network slowdowns in a client organization, security firm Varonis decided to investigate further.
“Almost every server and workstation was infected with malware. Most were generic variants of cryptominers. Some were password dumping tools, some were hidden PHP shells, and some had been present for several years,” it explained in a blog post.
“Out of all the cryptominer samples that we found, one stood out. We named it ‘Norman’.”
Norman is a high-performance miner of Monero currency that differed from many of the other samples discovered in its sophisticated attempts to stay hidden.
Unusually, it is compiled with Nullsoft Scriptable Install System (NSIS), an open source system usually employed to create Windows installers.
The injection payload is designed to execute a cryptocurrency miner and stay hidden, said Varonis.
It avoids detection by terminating the miner function when the Task Manager is opened by a curious user. Once closed, it will re-inject the miner and start again.
The miner itself is XMRig, obfuscated in the malware by UPX and injected into either Notepad or Explorer depending on the execution path.
Varonis believes the cryptocurrency mining malware it discovered could be linked to a PHP shell it found in the victim organization continually connecting to a command-and-control (C2) server. Like Norman, the PHP shell used DuckDNS for C2 comms.
“None of the malware samples had any lateral movement capabilities, though they had spread across different devices and network segments,” the firm explained. “Though the threat actor could have infected each host individually (perhaps via the same vector used in the initial infection), it would have been more efficient to use the PHP-Shell to move laterally and infect other devices in the victim’s network.”
However, it also claimed there were no coding similarities between the two, or communications capabilities between the crypto-mining malware and PHP shell.
The malware authors could be French speaking, given the language was present in some of the code.
Varonis urged firms worried about crypto-jacking to: keep operating systems up-to-date; monitor network traffic and web proxies; maintain anti-virus on endpoints; keep an eye on DNS and CPU activity; and have an incident response plan ready and tested.