A new cryptominer malware that infected almost all the computers on a company’s network within a year uses DuckDNS for command and control (C2) communications with its masters.
Cryptomining (also known as cryptojacking) campaigns stealthily use a compromised computer’s resources to mine cryptocurrency that is delivered straight to the crypto wallets owned by the threat actors which operate them.
Mining malware affected ten times more organizations than ransomware did in 2018 as detailed by a Check Point Research report, with more and more malware families having added new capabilities targeting cryptocurrency within their arsenal.
DuckDNS used for C2 communication
The new miner malware strain dubbed Norman by the Varonis Security Research team was discovered while actively mining for Monero using the computing resources of the infected workstations and servers as directed by its operators.
All infected hosts on the network were very easily detected by the use of DuckDNS which is a dynamic DNS service designed to help users create custom domain names easier.
According to the researchers who found this new cryptomining malware, “most of the malware from this case relied on DuckDNS for command and control (C&C) communications, to pull configuration settings or send updates.”
Besides multiple miner malware samples among which Norman stood out as not having been seen before in the wild, Varonis’ research team also discovered several password dumping tools and a hidden PHP shell, with some of them having infected the systems a few years earlier.
Multi-stage infection process
The Norman cryptominer is dropped on the targets’ systems using a malware dropper compiled using the Nullsoft Scriptable Install System (NSIS) and designed to execute the payload according to instructions served via a bundled script.
In the next stage of the infection, the malicious payload gets injected within a process which gets picked depending on the OS’ bit type. The process injection technique has two main functions, to execute the mining malware on the infected host and to evade detection.
The payload is “triple obfuscated with Agile obfuscator, a known commercial .NET obfuscator” and it was renamed from Norman.dll to 5zmjbxUIOVQ58qPR.dll as the dll file’s metadata shows.
On 64-bit systems, the malware launched as a svchost process “creates another process of itself and injects a payload into it. Soon after, it executes either Notepad or Explorer and injects the cryptominer into it,” Varonis found.
The initial svchost process gets terminated afterward and the new one will be “used as a watchdog for the miner process” to reinject the miner with the cryptominer if the process gets terminated in any way.
On 32-bit infected machines, Norman will follow the same infection chain as on 64-bit systems, with the only difference being that the miner would get injected within the explorer.exe process and launched either as another svchost.exe or as a wuapp.exe process.
To hide the explorer.exe injection, the malware overwrites “the injected payload with wuapp.exe’s path and nulls,” the Varonis researchers further found.
“At the end of either the x64 or the x32 execution tree, the malware will always inject the cryptominer into a legitimate process that it launches,” the researchers discovered.
Another technique used by the malware to avoid detection is to terminate the miner process whenever the user of the infected computer opens the Task Manager program, relaunching the injected process once the app is closed.
Once injected into Notepad, Explorer, svchost, or wuapp and launched on a compromised machine, the cryptomining malware will use a built-in miner configuration which shows, currently, the Monero address used by its masters to collect all the mined XMR coins is now banned.
As mentioned previously, a hidden PHP shell was also discovered on some of the infected stations and servers, dropped as an XSL file containing PHP code designed to run using a Zend Guard executable disguised as the mscorsv.exe also dropped on the compromised machines.
The PHP shell continuously connected to an attacker-controlled command and control (C2) server, sending and receiving encrypted data and commands, respectively.
Varonis’ research team found multiple versions of this malware and discovered that it has the following capabilities:
While the PHP shell and the Norman cryptomining malware were both found on the same infected computers in some cases, Varonis is not certain if they are connected to the same threat actor.
Even though both of them used DuckDNS in some form or another and they both lacked lateral movement within the same network, the researchers found no other technical similarities between them, no communication channels are being set up to connect the two malware strains, and no other ‘fingerprinting’ attempts were successful.
Cryptomining malware still going strong
Malware developers are targeting most platforms with their malicious payloads, their cryptominers having been observed while attempting to infect all types of platforms and devices, from Windows, Linux, and macOS computers to Android devices and cloud services.
During July, hackers have been exploiting vulnerable Jira and Exim servers and attempting to infect them with a new Watchbog Linux Trojan variant and using the resulting botnet as part of Monero cryptomining operation, stating that their end goal is to keep the internet safe.
Security researchers also discovered a cryptocurrency mining botnet in July using the Android Debug Bridge (ADB) Wi-Fi interface and SSH connections to spread between Android devices.
One month earlier, Kaspersky found a modular cryptomining backdoor malware with worm capabilities, observing it while spreading to other network hosts using SMB and UPnP plugins.
Exposed Docker APIs were also targeted by attackers to drop Dofloo Trojan variant used to build large scale botnets and, in some of the observed infection cases, to load mining malware.
A more exotic malicious mining campaign was also detected in June, with the LoudMiner Linux cryptocurrency mining malware being dropped on compromised macOS and Windows devices in the form of a Tiny Core Linux virtual machine that would be executed via QEMU or VirtualBox.