August 19, 2019 – Malware is increasing 24 hours a day and seven days a week, so we need to understand their types, nature, and attacking methodologies to be aware on how to alleviate the attack.
Last August 15, 2019 – Varonis cybersecurity research team has discovered a new crypto-jacking virus dubbed “Norman”. It aims to mine the cryptocurrency Monero XMR and bypass detection.
Malware is any program or file that is harmful to a computer. It intends to damage a computer without the user’s consent and gain sensitive information. Crytojacking is one of many variants of malware that use the type of attack – inception where it allows hackers to access the data, systems application, or environments.
A cybersecurity researcher from Varonis use dynamic analysis to examine the behavior, functionality and recognize technical indicators;
- Found a large scale infection of crypto miners from every server infected;
- Behavior: “Norman employs evasion technique to hide the analysis and avoid discovery;
- Protocol defendant: Malware variants relied on DuckDNS, Command, and Control. It closes the crypto mining process when a user starts to open the Task Manager, then the task manager updates and close changing the configuration in back-end and finally “Norman” uses the process to relaunch the miner;
- Origin: Norman is a XMRig-based cryptominer;
- Event: Hackers and cybercriminals deploy hardware to use the computing power to users’ machine to mine cryptocurrencies like privacy-oriented coin Minero.
The researcher concluded that it is based on PHP and concealed by Zend Guard. It continually connects to a command and control (C&C) server. They found from multiple servers an XSL file run known “sysWOW64” from windows executable folder mscorsv.exe
Carbon Black, a cybersecurity company uncovered the strain of XMR mining malware last week. They discovered that a type of malware called “Smominru” is now stealing user data alongside its mining operations, it said;
“This discovery indicates a bigger trend of commodity malware evolving to mask a darker purpose and will force a change in the way cybersecurity professionals classify, investigate and protect themselves from threats.”
Baseline defense against Remote Shells
According to Varonis researchers “Norman” malware relies on C&C servers to operate, typical action will not be predictable; it will likely resemble the actions of manual pentester or attack and difficult to detect by a regular antivirus scan.
- Keep all software up to date;
- Monitor abnormal data access;
- Monitor network traffic and web proxies;
- Monitor CPU activity on computers;
- Monitoring DNS for unusual dynamic DNS service (DuckDNS);
- Prepare Incident Report plan wherein the right procedures, with the capability of detecting, containing and remediating crypto miners.
The key take away from this incident is early detection keeps away mysterious web shell activity that results from crypto-jacking.
This article first appeared on BitPinas: Cryptomalware Norman Mines Monero While Hiding From Task Manager