This spooky Monero-mining malware waits to be controlled remotely

Cybersecurity researchers have discovered a mysterious new strain of cryptocurrency mining (cryptomining) malware that employs powerful techniques to avoid detection and analysis.

Software firm Varonis determined the malware is based on Monero mining software XMRig, which is open source and hosted on GitHub. Hard Fork has previously reported on other notable instances of cryptomining malware that utilize XMRig.

To date, Norman has hit at least one “mid-size” company, having infected almost every workstation and server on its network.

“Most were generic variants of cryptominers. Some were password dumping tools, some were hidden PHP shells, and some had been present for several years,” wrote Varonis. “Out of all the cryptominer samples that we found, one stood out. We named it ‘Norman.’”

Norman is an especially crafty strain of malware

Analysts determined this strain of malware deploys itself in three separate stages: execution, injection, and then finally, cryptocurrency mining.

Once a target executes the malicious file, the virus will proceed differently depending on the machine’s operating system bit type (32-bit or 64-bit), but it generally serves two functions: mine Monero and avoid detection.

In particular, Norman automatically shuts down malicious processes when the user opens Windows Task Manager. Sneaky.

Notice how ‘wuapp.exe’ closes when ‘Taskmgr.exe’ activates? (courtesy of Varonis)

Norman aims to commandeer Windows’ Service Host Process (svchost.exe), which it will then use to inject a number of different malicious payloads into the machine.

Luckily, it seems the Monero-mining properties of this particular variant of Norman had already been nullified.

Researchers noted the XMR address designated to receive the cryptocurrency generated by the virus had been banned by Norman’s mining pool of choice.

‘XMR address banned’ (courtesy of Varonis)

There’s also a weird PHP shell that’s waiting for commands

One curious aspect of Norman is a PHP “shell” that maintains a spooky connection to a (presumably) malicious command-and-control (C&C) server.

This should mean Norman is intended to be controlled remotely, but after initially changing a few internal variables, analysts found the malware enters a “loop” that constantly waits for fresh instructions.

“As of today, we have not received new commands,” noted Varonis researchers.

Even though Norman contains a cryptocurrency miner and a malicious PHP shell, Varonis researchers weren’t able to confirm whether those features are connected.

Norman’s cryptominer doesn’t communicate with the PHP shell, and they’re written in entirely different computing languages. They do however use the same DNS server.

A secret French connection?

Whoever created Norman left behind a few clues, leading analysts to consider the possibility that it may have originated from France or another French-speaking nation.

After reading the malware’s source code, researchers found several functions and variables written in French.

Norman is French?
Whoops (courtesy of Varonis)

Norman’s self-extracting (SFX) file also included comments in French. This means the author must have used a French version of archiving tool WinRAR to create it.

French Monero mining malware?
This is a pretty big clue (courtesy of Varonis)

“Malware that relies on commands from C&C servers to operate are a different type of threat than the average virus,” warned Varonis researchers. “Their actions will not be as predictable and will likely resemble the actions of a manual attack or pentester.”

They added that these kinds of threats are usually geared towards stealing data, despite the powerful XMR-mining malware found in Norman.

As such, network administrators should seek to monitor user access for suspicious activity, and run firewalls and proxies to detect and block any attempted communication with C&C servers.

Published August 14, 2019 — 20:42 UTC

Leave a Reply