New Malware Miner Sneakily Hides When Task Manager Is Open

Meet "Norman" – a new variant of monero-mining malware that employs crafty tricks to avoid being spotted.

AccessTimeIconAug 15, 2019 at 1:30 p.m. UTC
Updated Sep 13, 2021 at 11:20 a.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

Meet "Norman" – a new variant of monero-mining malware that employs crafty tricks to avoid being spotted.

The malicious code was identified by researchers at data security firm Varonis when investigating a crypto-miner infestation at a "mid-size company."

"Almost every server and workstation was infected with malware. Most were generic variants of cryptominers. Some were password dumping tools, some were hidden PHP shells, and some had been present for several years," the firm said.

However, one miner stood out – Norman, as the team dubbed it.

Norman's payload has two primary functions: execute its XMRig-based crypto-miner and avoid detection.

After injection, it overwrites its entry in explorer.exe to conceal evidence of its presence. It also stops operating the miner when the PC's user opens Task Manager (see image below). Re-injecting itself once Task Manager is not running.

norman

The miner element of the malware is based on the openly available XMRig code hosted on GitHib. However, Varonis found that its monero (XMR) address is blocked by the mining pool it links to, and hence is effectively disabled.

The researchers further found a PHP shell, possibly linked to Norman, that "that continually connects to a command-and-control (C&C) server." Web shells can allow remote access to a system on which they are installed.

However, the team found that,  when they ran the code, it entered a loop awaiting commands and none had been received at time of writing.

The report also notes that Norman may have been created in France or a French-speaking nation. "The SFX file had comments in French, which indicate that the author used a French version of WinRAR to create the file," said Varonis.

Hat tip: TNW

Cat in a box image via Shutterstock; gif animation via Varonis 

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.