Image
Almost every server and workstation was infected with malware. Most were generic variants of cryptominers. Some were password dumping tools, some were hidden PHP shells, and some had been present for several years.Varonis didn't have a difficult time identifying the hosts affected by the attack. That's because they all used DuckDNS, a dynamic DNS service which users can use to create custom domain names. In this particular case, the infected hosts leveraged DuckDNS for their command-and-control (C&C) infrastructure. This process ultimately led Varonis to uncover Norman. The sample identified by the data security software firm functioned as an XMRig-based cryptominer. It also concealed itself as "svchost.exe." Even so, the malware stood out for its abilities to evade detection. For instance, the malware's DLL arrived with triple obfuscation courtesy of the Agile obfuscator. Later on in the infection chain, the malware terminated its mining component whenever a user opened Task Manager so as to trick them into thinking that nothing's wrong. It also injected an obfuscated miner version to Notepad, Explorer, svchost or wuapp depending on the infection's execution path. As of this writing, it's unclear which actor created Norman. Varonis did determine that the actor likely spoke French because they used a French version of WinRAR to create an SFX file used in the campaign. In order to learn more about the malware, the firm also modified the threat with code so that it'll be notified of new commands received by Norman going forward.
Image
