The Varonis Security Research team recently investigated an ongoing cryptomining infection that had spread to nearly every device at a mid-size company. Analysis of the collected malware samples revealed a new variant, which the team dubbed “Norman” that uses various techniques to hide and avoid discovery. We also discovered an interactive web shell that may be related to the mining operators.
Research Overview
- We found a large-scale infection of cryptominers; almost every server and workstation in the company was infected.
- Since the initial infection, which took place over a year ago, the number of variants and infected devices grew.
- Norman employs evasion techniques to hide from analysis and avoid discovery.
- Most of the malware variants relied on DuckDNS (a free, Dynamic DNS service). Some needed it for command and control (C&C) communications, while others used it to pull configuration settings or to send updates.
- Norman is an XMRig-based cryptominer, a high-performance miner for Monero cryptocurrency.
- We have no conclusive evidence that connects the cryptominers to the interactive PHP Shell. However, we have strong reason to believe they originate from the same threat actor. We make a case whether they may or may not be connected.
- We provide tips for defending against remote web shells and cryptominers.
The Investigation
The investigation began during an evaluation of our Data Security Platform, which quickly raised several suspicious network-related alerts for abnormal web activity alongside correlated abnormal file activities. The customer quickly realized the devices flagged by the Varonis platform belonged to the same users who had reported recent unstable applications and network slowdowns.
Varonis’ Forensics team manually investigated the customer’s environment, hopping from infected station to station based on the alerts generated by Varonis. Varonis’ Incident Response team implemented a custom rule in DatAlert to detect machines that were actively mining and quickly contained the incident. The team forwarded malware samples to our Forensics and Research teams, which determined that additional investigation was needed.
Infected hosts were easily detected by their use of DuckDNS, a dynamic DNS service that allows its users to create custom domain names. As stated above, most of the malware from this case relied on DuckDNS for command and control (C&C) communications, to pull configuration settings or send updates.
Almost every server and workstation was infected with malware. Most were generic variants of cryptominers. Some were password dumping tools, some were hidden PHP shells, and some had been present for several years.
We delivered our findings to the customer, removed the malware from their environment, and the infection stopped.
Out of all the cryptominer samples that we found, one stood out. We named it “Norman.”
