A new strain of cryptomining malware that is based on XMRig and uses various techniques to hide from analysis and avoid discovery has been discovered by researchers at security firm Varonis.
The variant, dubbed “Norman”, is described as a high-performance miner for monero cryptocurrency with possible French connections that researchers discovered had spread to nearly every server and workstation at a mid-sized company that was evaluating the security firm’s Data Security Platform.
The cryptomining infection investigation began in response to several alerts of of abnormal web activity alongside correlated abnormal file activities on workstations where users had reported unstable applications and network slowdowns.
Although illicit cryptocurrency mining malware has declined in recent years, threat reports indicate that it is still a popular fund-raising activity among cyber criminals, with cryptominers among the most common malware detected in the first half of 2019.
Since the initial infection, which took place over a year ago, researchers said the number of variants and infected devices has grown, with most variants relying on DuckDNS free dynamic domain name system (DNS). Some needed DuckDNS for command and control (C&C) communications, while others used it to pull configuration settings or to send updates.
Out of all the cryptominer samples found, Norman stood out because of its detection evasion capabilities, the researchers said.
At first glance, they said, the malware seemed to be generic mining malware hiding itself as “svchost.exe”, but the techniques the malware used proved to be more interesting in the analysis of its execution, injection and mining stages.
For example, the malware is unusual in that it is compiled with NSIS (Nullsoft Scriptable Install System), which is an open source system used to create Windows installers.
Analysis of the injection phase revealed that the main payload DLL (dynamic link library) is built with .NET and triple obfuscated with Agile obfuscator, a known commercial .NET obfuscator.
The execution of the malware involves many payload injections into itself and other processes, the researchers found, and the malware will choose a different execution path and launch different processes depending on whether the operating system of the targeted machine is 32-bit or 64-bit.
Once running, the malware is designed to avoid detection by terminating the miner when a user opens Task Manager, the researchers said. After Task Manager closes, the malware will execute a process to re-inject the miner.
During the cryptomining investigation, the researchers also discovered a “mysterious” interactive web shell that continually connects to a C&C server and may be related to the mining operators.
Although the researchers found no clear evidence connecting the cryptominers to the interactive PHP shell, they said there was “strong reason” to believe that they originated from the same threat actor.
To defend against remote shells, the security researchers advised that organisations:
- Keep all software up to date because attackers often exploit vulnerabilities in software and operating systems to move laterally in the organisation and steal data. Staying up to date with patches greatly reduce the risk of threats, they said.
- Monitor abnormal data access because an attacker will most likely try to exfiltrate sensitive data from the organisation, and monitoring abnormal user access to sensitive data could help detect compromised users and data that might have been exposed.
- Monitor network traffic by using a firewall or proxy to detect and block malicious communication to C&C servers, thus preventing the attacker from executing commands or extracting data.
To defend against cryptominers, Varonis recommended that organisations:
- Use and maintain antivirus and endpoint detection and response (EDR) systems, which should be able to detect well-known cryptominers and prevent infections before any damage occurs. But the researchers said organisations should not rely only on EDR and should bear in mind that new variants or new evasion techniques can bypass endpoint security products.
- Keep all operating systems up to date to prevent exploits and unwanted infections.
- Monitor network traffic and web proxies to block traffic from malicious domains and restrict unnecessary communications.
- Monitor CPU activity on computers for indictions of possible cryptomining activity.
- Monitor DNS for unusual use of dynamic DNS services, such as DuckDNS.
- Have an incident response plan ready to detect, contain and remediate cryptominers.