Meet "Norman" – a new variant of monero-mining malware that employs crafty tricks to avoid being spotted.
Varonis when investigating crypto-miner infestation at a "mid-size company."
“Almost every server and workstation was infected with malware. Most were generic variants of cryptominers. Some were hidden PHP tools, some were hidden PHP, and some had been present for several years, "the firm said.
However, one miner stood out – Norman, as the team dubbed it.
Norman's payload has two primary functions: execute its XMRig-based crypto-miner and avoid detection.
After injection, it overwrites its entry into explorer.exe to conceal evidence of its presence. It also opens Task Manager (see image below). Re-injecting itself once Task Manager is not running.
The miner element of the malware is based on the openly available XMRig code hosted on GitHib. However, Varonis found that its monero (XMR) is blocked by the mining pool it links to, and hence is effectively disabled.
The researchers further found a PHP shell, possibly linked to Norman, that "that continually linked to a command-and-control (C&C) server." Web shells can allow remote access to a system on which they are installed.
However, the team found that when it came to the code, it entered a loop awaiting commands.
The report also notes that Norman may have been created in France or a French-speaking nation. "The SFX file had comments in French, which indicated that the author used to create the file," said Varonis.
Hat tip: TNW
Cat in a box image via Shutterstock; gif animation via Varonis