Meet Norman: a highly evasive and persistent cryptojacking malware

Norman crypto jacker is so evasive that it spread to almost every computer of the affected company without being detected

Normal crypto malware detectedThe security research team analyzed a new highly evasive and persistent cryptojacking malware that was found on almost every computer of the affected firm

The Varonis Security Research team has discovered a new sophisticated, and extremely evasive malware strain. Dubbed Norman, the XMRig-based crypto miner is designed to abuse the infected system's CPU power in order to effectively mine Monero and deliver the funds directly into malicious actors wallets.

Varonis researches explained in the security blog:[1]

Analysis of the collected malware samples revealed a new variant, which the team dubbed “Norman” that uses various techniques to hide and avoid discovery. We also discovered an interactive web shell that may be related to the mining operators.

Cryptojacking malware became extremely prevalent during 2018, as the prices of cryptocurrency skyrocketed. According to Checkpoint research team,[2] it affected ten times more organizations than ransomware did during the time. While the activity of active infections slowed down as Bitcoin and other cryptocurrency prices sunk and miners like Coinhive were terminated,[3] the illegal usage of CPU power in order to profit is still there, and Norman is a proof that the malicious actors are eager to put in time into developing sophisticated Monero-mining botnet.

Norman uses Dynamic DNS service to communicate with the C&C servers

Varonis researchers started the investigation when its security solutions flagged an unusual file and network activity, as well as suspicious network communications, at the mid-size organization. The firm itself has also reported that the network connection between the machines is slow and the internally-used applications often crash or lag.

While the security team managed to pinpoint every single host machine and contain the infection, researchers quickly realized that further investigation is required. Forensics and Research teams then conducted the analysis that exposed malware's functions, and it became clear that what they are dealing with is not an average crypto jacker.

According to the report, the virus uses a free dynamic DNS service DuckDNS for all the communications, while variants were used for hackers to constantly update the malware and send out configuration settings.

Further examination showed that the crypto jacker also drops password-stealing tools, which are most likely used to proliferate more machines and expand the already sizeable crypto-mining botnet. Consequently, the combined power of the infected computers brought malicious actors a significant amount of profits throughout the time the firm was affected. However, experts could not find the infection vector, although the first samples were over a year old.

Malware uses sophisticated tricks in order to avoid detection and remain hidden from computer users

Our of all the examined samples, Norman was the one that sparks the most interest, and researchers named it a “high-performance miner for Monero cryptocurrency.” It was designed to execute the malicious payload using several infection stages and has two main modules. One of them is responsible for cryptocurrency mining, while the other takes care of evasion techniques.

The main malware process usually runs in the background under the “svchost.exe,” which would not arouse any suspicions (it is a known fact that computer threats tend to hide within legitimate processes).[4] In other cases, the malicious process could be simply shut down via the Task Manager, and the crypto mining would discontinue. However, Norman uses a “wuapp.exe” process that shuts down as soon as the Task Manager is opened, making it difficult to spot in the first place.

The infected firm managed to get rid of the cryptocurrency miner with the help of Varonis research team. However, it is clear that hackers behind the strain will continue their malicious deeds and will try to infect and take over other organizations. As of now, it is unclear who the culprits behind the strain are, but experts managed to determine that it originated either in France or a French-speaking country, as comments in the SFX file were written in French.

While it is unknown how malware spreads, organizations should make sure they patch all used software on time (especially when using open-source resources like Drupal),[5] as many malware strains use zero-day vulnerabilities to break into even large organizations.[6]

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions