Researchers Discover Stealthy Crypto-Miner “Norman”

Security researchers have found a stealthy new cryptocurrency mining malware variant which was used as part of an attack that infected almost an entire organization.

After being notified of unstable applications and network slowdowns in a client organization, security firm Varonis decided to investigate further.

“Almost every server and workstation was infected with malware. Most were generic variants of cryptominers. Some were password dumping tools, some were hidden PHP shells, and some had been present for several years,” it explained in a blog post.

“Out of all the cryptominer samples that we found, one stood out. We named it ‘Norman’.”

Norman is a high-performance miner of Monero currency that differed from many of the other samples discovered in its sophisticated attempts to stay hidden.

Unusually, it is compiled with Nullsoft Scriptable Install System (NSIS), an open source system usually employed to create Windows installers.

The injection payload is designed to execute a cryptocurrency miner and stay hidden, said Varonis.

It avoids detection by terminating the miner function when the Task Manager is opened by a curious user. Once closed, it will re-inject the miner and start again.

The miner itself is XMRig, obfuscated in the malware by UPX and injected into either Notepad or Explorer depending on the execution path.

Varonis believes the cryptocurrency mining malware it discovered could be linked to a PHP shell it found in the victim organization continually connecting to a command-and-control (C2) server. Like Norman, the PHP shell used DuckDNS for C2 comms.

“None of the malware samples had any lateral movement capabilities, though they had spread across different devices a ..

Support the originator by clicking the read the rest link below.