Cybersecurity researchers have discovered a mysterious new strain of cryptocurrency mining (cryptomining) malware that employs powerful techniques to avoid detection and analysis.
Software firm Varonis determined the malware is based on Monero mining software XMRig, which is open source and hosted on GitHub. Hard Fork has previously reported on other notable instances of cryptomining malware that utilize XMRig.
To date, Norman has hit at least one âmid-sizeâ company, having infected almost every workstation and server on its network.
âMost were generic variants of cryptominers. Some were password dumping tools, some were hidden PHP shells, and some had been present for several years,â wrote Varonis. âOut of all the cryptominer samples that we found, one stood out. We named it âNorman.'â
Norman is an especially crafty strain of malware
Analysts determined this strain of malware deploys itself in three separate stages: execution, injection, and then finally, cryptocurrency mining.
Once a target executes the malicious file, the virus will proceed differently depending on the machineâs operating system bit type (32-bit or 64-bit), but it generally serves two functions: mine Monero and avoid detection.
In particular, Norman automatically shuts down malicious processes when the user opens Windows Task Manager. Sneaky.
Norman aims to commandeer Windowsâ Service Host Process (svchost.exe), which it will then use to inject a number of different malicious payloads into the machine.
Luckily, it seems the Monero-mining properties of this particular variant of Norman had already been nullified.
Researchers noted the XMR address designated to receive the cryptocurrency generated by the virus had been banned by Normanâs mining pool of choice.
Thereâs also a weird PHP shell thatâs waiting for commands
One curious aspect of Norman is a PHP âshellâ that maintains a spooky connection to a (presumably) malicious command-and-control (C&C) server.
This should mean Norman is intended to be controlled remotely, but after initially changing a few internal variables, analysts found the malware enters a âloopâ that constantly waits for fresh instructions.
âAs of today, we have not received new commands,â noted Varonis researchers.
Even though Norman contains a cryptocurrency miner and a malicious PHP shell, Varonis researchers werenât able to confirm whether those features are connected.
Normanâs cryptominer doesnât communicate with the PHP shell, and theyâre written in entirely different computing languages. They do however use the same DNS server.
A secret French connection?
Whoever created Norman left behind a few clues, leading analysts to consider the possibility that it may have originated from France or another French-speaking nation.
After reading the malwareâs source code, researchers found several functions and variables written in French.
Normanâs self-extracting (SFX) file also included comments in French. This means the author must have used a French version of archiving tool WinRAR to create it.
âMalware that relies on commands from C&C servers to operate are a different type of threat than the average virus,â warned Varonis researchers. âTheir actions will not be as predictable and will likely resemble the actions of a manual attack or pentester.â
They added that these kinds of threats are usually geared towards stealing data, despite the powerful XMR-mining malware found in Norman.
As such, network administrators should seek to monitor user access for suspicious activity, and run firewalls and proxies to detect and block any attempted communication with C&C servers.
Get the TNW newsletter
Get the most important tech news in your inbox each week.