A new strain of Monero mining malware has been discovered by security researchers that is able to avoid detection. The malware, named Norman had infected almost every device at an unnamed mid-sized company before the researchers discovered it. Norman is based on the XMRig, a high-performance Monero miner.
The researchers at New York-based cyber security firm Varonis discovered the malware almost a year after it first attacked its victims. According to a blog post by the company, the investigation by the researchers began after several alerts of abnormal web activity by the company. Several workers in the company had reported network slowdowns and unstable applications.
Varonis explained, “Infected hosts were easily detected by their use of DuckDNS, a dynamic DNS service that allows its users to create custom domain names. As stated above, most of the malware from this case relied on DuckDNS for command and control (C&C) communications, to pull configuration settings or send updates.”
Norman was deployed in three stages, the first of which was execution. Injection, which is the next stage, involves many payload injections into itself and other processes, with the malware automatically choosing a different execution and launch process depending on the device’s OS bit type. The final stage is crypto mining.
One of Norman’s most defining characters is its ability to shut down malicious processes when the user opens Windows Task Manager. This makes it that much harder to trace for a victim. Once the Task Manager closes, the malware executes the EXE file and re-injects the miner.
The researchers concluded that the malware most likely originated from France or another French-speaking country. The SFX file had comments in French, with some variables in the code also being written in French.
Varonis advised companies to take some steps to protect their devices against remote shells which it described as a ‘different type of threat than the average virus.’ Companies should keep all software up to date, monitor abnormal data access and network traffic.
For even more security, companies should use and maintain antivirus and end-point solutions which can detect popular cryptojacking malware.
Cryptojacking malware has continued to be one of the most appealing channels for hackers. As CoinGeek reported recently, an updated cryptojacking malware known as Smominru was recently updated to steal user data for resale in the dark web. The malware was found to have infected over 500,000 computers globally, with most of the victims being in Eastern Europe and Asia Pacific regions.
New to Bitcoin? Check out CoinGeek’s Bitcoin for Beginners section, the ultimate resource guide to learn more about Bitcoin—as originally envisioned by Satoshi Nakamoto—and blockchain.