Researchers identified a large-scale cryptocurrency miner infection in which a new malware family called “Norman” took part.The Varonis Security Research team made the discovery while investigating a cryptominer infection at a mid-sized company. Here’s what they found through this effort:Almost every server and workstation was infected with malware. Most were generic variants of cryptominers. Some were password dumping tools, some were hidden PHP shells, and some had been present for several years.Varonis didn’t have a difficult time identifying the hosts affected by the attack. That’s because they all used DuckDNS, a dynamic DNS service which users can use to create custom domain names. In this particular case, the infected hosts leveraged DuckDNS for their command-and-control (C&C) infrastructure.This process ultimately led Varonis to uncover Norman. The sample identified by the data security software firm functioned as an XMRig-based cryptominer. It also concealed itself as “svchost.exe.”Even so, the malware stood out for its abilities to evade detection. For instance, the malware’s DLL arrived with triple obfuscation courtesy of the Agile obfuscator. Later on in the infection chain, the malware terminated its mining component whenever a user opened Task Manager so as to trick them into thinking that nothing’s wrong. It also injected an obfuscated miner version to Notepad, Explorer, svchost or wuapp depending on the infection’s execution path.As of this writing, it’s unclear which actor created Norman. Varonis did determine that the actor likely spoke Fre ..
Support the originator by clicking the read the rest link below.
