News
Lates Post

Varonis Uncovers a New Malware Strains and a Mysterious Web Shell

in

The Varonis Security Research team recently investigated an ongoing cryptomining infection that had spread to nearly every device at a mid-size company. The investigation began during an evaluation of Data Security Platform, which quickly raised several suspicious network-related alerts for abnormal web activity alongside correlated abnormal file activities. The customer quickly realized the devices flagged by the Varonis platform belonged to the same users who had reported recent unstable applications and network slowdowns.

Varonis’ Forensics team manually investigated the customer’s environment, hopping from infected station to station based on the alerts generated by Varonis. Varonis’ Incident Response team implemented a custom rule in DatAlert to detect machines that were actively mining and quickly contained the incident. The team forwarded malware samples to Forensics and Research teams, which determined that additional investigation was needed.

Infected hosts were easily detected by using DuckDNS, a dynamic DNS service that allows its users to create custom domain names. As stated above, most of the malware from this case relied on DuckDNS for command and control (C&C) communications, to pull configuration settings or send updates.

After all the research and investigation done by Varonis’ Forensics and Research team, they found that almost every server and workstation was infected with malware. Most were generic variants of cryptominers. Some were password dumping tools, some were hidden PHP shells, and some had been present for several years. Out of all the cryptominer samples that were found, one stood out. Varonis named it “Norman”, a new variant of monero-mining malware that employs crafty tricks to avoid being spotted. They also discovered an interactive web shell that may be related to the mining operators. Discover more about “Norman” and how to defeat it from the following information.

 

What is “Norman” the Cryptominer?

Norman malware must be sound new for most people as this malware uses various techniques to hide and avoid discovery. Norman is an XMRig-based cryptominer, a high-performance miner for Monero cryptocurrency. At first glance, the malware seemed to be a generic miner hiding itself as “svchost.exe.” However, the techniques it used proved to be more interesting. The malware’s deployment can be divided into three stages namely execution, injection, and mining.

 

How to Defeat Cryptomining Malware?

To help business defeat the cryptomining malware, Varonis has prepared its Varonis DatAlert that includes threat models to help IT team detect cryptomining malware in business’ system. Business can also create custom rules to provide dedicated detections against potentially blacklisted domains.

In addition, Varonis’ customers are also struggling with mysterious web shell that could also be harmful for the IT system, because malware that relies on commands from C&C servers to operate are a different type of threat than the average virus. Their actions will not be as predictable and will likely resemble the actions of a manual attack or pentester.

Therefore, here are three tips from Varonis to help companies defend their system against interactive web shells:

  1. Keep all software up to date. Attackers often exploit vulnerabilities in software and operating systems to move laterally in the organization and steal data. Staying up to date with patches greatly reduce the risk of threats.

 

  1. Monitor abnormal data access. An attacker will most likely try to exfiltrate sensitive data from the organization. Monitoring abnormal users access to sensitive data could help detect compromised users and data that might have been exposed.
  2. Monitor network traffic. By using a firewall or proxy, it is possible to detect and block malicious communication to C&C servers, thus preventing the attacker from executing commands or extracting data.

As one of the IT experts in Indonesia, Blue Power Technology (BPT) has a proven track record in providing comprehensive IT solutions for Indonesian enterprises, including application development. By partnering with Varonis, BPT can help Indonesian enterprises to leverage the benefits of Varonis Edge against any interactive web shell and cryptomining malware such as “Norman”.

The Varonis Security Research team recently investigated an ongoing cryptomining infection that had spread to nearly every device at a mid-size company. The investigation began during an evaluation of Data Security Platform, which quickly raised several suspicious network-related alerts for abnormal web activity alongside correlated abnormal file activities. The customer quickly realized the devices flagged by the Varonis platform belonged to the same users who had reported recent unstable applications and network slowdowns.

Varonis’ Forensics team manually investigated the customer’s environment, hopping from infected station to station based on the alerts generated by Varonis. Varonis’ Incident Response team implemented a custom rule in DatAlert to detect machines that were actively mining and quickly contained the incident. The team forwarded malware samples to Forensics and Research teams, which determined that additional investigation was needed.

Infected hosts were easily detected by using DuckDNS, a dynamic DNS service that allows its users to create custom domain names. As stated above, most of the malware from this case relied on DuckDNS for command and control (C&C) communications, to pull configuration settings or send updates.

After all the research and investigation done by Varonis’ Forensics and Research team, they found that almost every server and workstation was infected with malware. Most were generic variants of cryptominers. Some were password dumping tools, some were hidden PHP shells, and some had been present for several years. Out of all the cryptominer samples that were found, one stood out. Varonis named it “Norman”, a new variant of monero-mining malware that employs crafty tricks to avoid being spotted. They also discovered an interactive web shell that may be related to the mining operators. Discover more about “Norman” and how to defeat it from the following information.

 

What is “Norman” the Cryptominer?

Norman malware must be sound new for most people as this malware uses various techniques to hide and avoid discovery. Norman is an XMRig-based cryptominer, a high-performance miner for Monero cryptocurrency. At first glance, the malware seemed to be a generic miner hiding itself as “svchost.exe.” However, the techniques it used proved to be more interesting. The malware’s deployment can be divided into three stages namely execution, injection, and mining.

 

How to Defeat Cryptomining Malware?

To help business defeat the cryptomining malware, Varonis has prepared its Varonis DatAlert that includes threat models to help IT team detect cryptomining malware in business’ system. Business can also create custom rules to provide dedicated detections against potentially blacklisted domains.

In addition, Varonis’ customers are also struggling with mysterious web shell that could also be harmful for the IT system, because malware that relies on commands from C&C servers to operate are a different type of threat than the average virus. Their actions will not be as predictable and will likely resemble the actions of a manual attack or pentester.

Therefore, here are three tips from Varonis to help companies defend their system against interactive web shells:

  1. Keep all software up to date. Attackers often exploit vulnerabilities in software and operating systems to move laterally in the organization and steal data. Staying up to date with patches greatly reduce the risk of threats.
  2. Monitor abnormal data access. An attacker will most likely try to exfiltrate sensitive data from the organization. Monitoring abnormal users access to sensitive data could help detect compromised users and data that might have been exposed.
  3. Monitor network traffic. By using a firewall or proxy, it is possible to detect and block malicious communication to C&C servers, thus preventing the attacker from executing commands or extracting data.

As one of the IT experts in Indonesia, Blue Power Technology (BPT) has a proven track record in providing comprehensive IT solutions for Indonesian enterprises, including application development. By partnering with Varonis, BPT can help Indonesian enterprises to leverage the benefits of Varonis Edge against any interactive web shell and cryptomining malware such as “Norman”.