A never-before-seen cryptomining variant, dubbed “Norman” after one of its executable files, has been spotted in the wild using various techniques to hide and avoid discovery. The levels of obfuscation are notable for their sheer depth, according to an analysis.
Varonis uncovered an initial sample after investigating an ongoing malware infection that had spread to nearly every server and workstation at a midsize company. Much of the malware consisted of generic cryptominers, password-harvesting tools and hidden PHP shells – and Norman too at first seemed to be a generic miner hiding itself as “svchost.exe,” the researchers said. But further investigation told a different story.
“Norman is an XMRig-based cryptominer, a high-performance miner for Monero cryptocurrency,” researchers said in an analysis on Wednesday. “Unlike other miner samples we have collected, Norman employs evasion techniques to hide from analysis and avoid discovery.”
Multiple Layers of Obfuscation
The malware’s deployment can be divided into three stages: Execution, injection and mining – each with its own evasion methods.
The first stage starts with the svchost.exe executable which, unusually, was compiled with the Nullsoft Scriptable Install System (NSIS).
“NSIS is an open-source system used to create Windows installers,” explained the researchers. “Like SFX, it creates a file archive and a script file that runs when the installer executes. The script file instructs the program which files to run and can interact with the other files inside the archive. The malware executes by calling a function in 5zmjbxUIOVQ58qPR.dll which accepts the other files as parameters.”
In the second stage, the main 5zmjbxUIOVQ58qPR.dll file payload file (originally named “Norman.dll”, hence the name) is built with .NET and triple obfuscated with Agile obfuscator, a known commercial .NET obfuscator.
“The execution of the malware involves many payload injections into itself and other processes,” according to the analysis. “Depending on the OS’s bit type, the malware will choose a different execution path and launch different processes.”
More specifically, the malware injects a UPX-obfuscated version of the miner to either Notepad, Explorer, svchost or wuapp depending on the execution path.
The injected payload has two main functions: To execute the cryptominer and evade detection. Once running, the XMRig miner itself is obfuscated with UPX. And, the malware is designed to avoid detection by terminating the miner (wuapo.exe) when a user opens Task Manager. After Task Manager closes, the malware will execute the wuapp.exe process and reinject the miner.
Mysterious PHP Shell
Varonis also found that much of the malware (Norman and other samples) were communicating with the command-and-control (C2) service via an unusual web service.
“Infected hosts were easily detected by their use of DuckDNS,” according to the research. “DuckDNS is a dynamic DNS service that allows its users to create custom domain names. Most of the malware from this case relied on DuckDNS for C2 communications, to pull configuration settings or send updates.”
During the investigation, the forensics specialists also found an XSL file that revealed a new PHP-shell that continually connects to the C2. Aside from the fact that both Norman and the PHP shell use DuckDNS, the two may be related given that the shell’s existence would explain why the Norman infection was so widespread within the company.
“None of the malware samples had any lateral movement capabilities, though they had spread across different devices and network segments,” the researchers said. “Though the threat actor could have infected each host individually (perhaps via the same vector used in the initial infection), it would have been more efficient to use the PHP shell to move laterally and infect other devices in the victim’s network.”
As for other attribution characteristics, the attackers also seem to originate in a French-speaking country, with some variables and functions in the code written in French.
“An interesting thing that we encountered during the analysis is that the malware possibly originated from France or another French-speaking country: the SFX file had comments in French, which indicate that the author used a French version of WinRAR to create the file,” explained Varonis.
Cryptomining is increasingly attacking businesses. To protect themselves, users should as always keep software up to date, monitor for abnormal data access, and use AV and a firewall.