This new cryptojacking malware uses a sneaky trick to remain hidden

'Norman' cryptomining malware was found to have infected almost every system in one organisation during an investigation by security researchers.
Written by Danny Palmer, Senior Writer

A newly-discovered form of cryptocurrency-mining malware is capable of remaining so well-hidden that researchers investigating it found that it had spread to almost every computer at a company that had become infected.

Dubbed 'Norman' due to references in the backend of the malware, the cryptojacker has been detailed by cybersecurity researchers at Varonis.

The Monero-cryptomining campaign was uncovered after Varonis' security platform spotted suspicious network alerts and abnormal file activity on systems within organisations that had reported unstable applications and network slowdown.

Cryptojacking malware exploits the processing power of an infected computer to mine for cryptocurrency – which can cause the system to slow down, even to the point of becoming unusable.

Researchers found that several variants of cryptomining malware had been installed on almost every server and workstation in companies that had fallen victim, and that some machines had even been infected with password stealers – likely used as a means of adding more machines to the mining botnet. It's unknown how the initial infection took place, but in some cases, the malware had been present for years.

Of those variants, it was Norman which sparked the most interest, as the never-before-seen malware is what the Varonis' report describes as a "high-performance miner for Monero cryptocurrency", and was able to employ a number of evasion techniques to avoid discovery. 

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

One way it does this is by terminating the mining process when the Windows Task Manager is opened. It's a simple trick, but one which stops users from potentially spotting an application that shouldn't be running, wuapp.exe. After the user closes the Task Manager, Norman resumes its work.

The malware has been built to be extremely persistent and it keeps in regular contact with a command and control server, which if needed, could provide new instructions or terminate the malware, although researchers note that during the analysis, no new commands were received.

It's unknown who is behind Norman, but researchers suggest that the malware potentially emerged from France or another French-speaking country because there are various strings in the code of the malware which are written in French.

The organisation that was found to be infected with cryptominers has now need cleaned out the malware, but it could have avoided falling victim in the first place by following some simple security steps.

Organisations should keep operating systems and software up to date by applying patches and security updates – many forms of malware take advantage of known vulnerabilities, but if the correct patch has been applied, it can prevent the vulnerabilities being exploited.

When it comes to cryptominers specifically, organisations should monitor CPU activity on computers. With mining doing its work by exploiting processing power, organisations should take note of any noticeable degradation in processing speeds.

Cryptojacking became one of the most popular forms of cybercrime in 2018, but while some attackers have moved onto other forms of attack, secretly mining for Monero and other cryptocurrencies is still a source of illicit income for many others.


Editorial standards