Share this article
New Malware Miner Sneakily Hides When Task Manager Is Open
Meet "Norman" – a new variant of monero-mining malware that employs crafty tricks to avoid being spotted.
Updated Sep 13, 2021, 11:20 a.m. Published Aug 15, 2019, 1:30 p.m.
Make us preferred on Google
Meet "Norman" – a new variant of monero-mining malware that employs crafty tricks to avoid being spotted.
The malicious code was identified by researchers at data security firm Varonis when investigating a crypto-miner infestation at a "mid-size company."
STORY CONTINUES BELOW
Don't miss another story.Subscribe to the Crypto Daybook Americas Newsletter today. See all newsletters
"Almost every server and workstation was infected with malware. Most were generic variants of cryptominers. Some were password dumping tools, some were hidden PHP shells, and some had been present for several years," the firm said.
However, one miner stood out – Norman, as the team dubbed it.
Norman's payload has two primary functions: execute its XMRig-based crypto-miner and avoid detection.
After injection, it overwrites its entry in explorer.exe to conceal evidence of its presence. It also stops operating the miner when the PC's user opens Task Manager (see image below). Re-injecting itself once Task Manager is not running.
The miner element of the malware is based on the openly available XMRig code hosted on GitHib. However, Varonis found that its monero address is blocked by the mining pool it links to, and hence is effectively disabled.
The researchers further found a PHP shell, possibly linked to Norman, that "that continually connects to a command-and-control (C&C) server." Web shells can allow remote access to a system on which they are installed.
However, the team found that, when they ran the code, it entered a loop awaiting commands and none had been received at time of writing.
The report also notes that Norman may have been created in France or a French-speaking nation. "The SFX file had comments in French, which indicate that the author used a French version of WinRAR to create the file," said Varonis.
Hat tip: TNW
Cat in a box image via Shutterstock; gif animation via Varonis
More For You
Pudgy Penguins is building a multi-vertical consumer IP platform — combining phygital products, games, NFTs and PENGU to monetize culture at scale.
What to know:
Pudgy Penguins is emerging as one of the strongest NFT-native brands of this cycle, shifting from speculative “digital luxury goods” into a multi-vertical consumer IP platform. Its strategy is to acquire users through mainstream channels first; toys, retail partnerships and viral media, then onboard them into Web3 through games, NFTs and the PENGU token.
The ecosystem now spans phygital products (> $13M retail sales and >1M units sold), games and experiences (Pudgy Party surpassed 500k downloads in two weeks), and a widely distributed token (airdropped to 6M+ wallets). While the market is currently pricing Pudgy at a premium relative to traditional IP peers, sustained success depends on execution across retail expansion, gaming adoption and deeper token utility.
More For You
HYPE token's 30% surge is a story of crypto-traditional market convergence, treasury firm says
HYPE has surged 30%, outperforming bitcoin, ether and the CoinDesk 20 index by a big margin.
What to know:
- Hyperliquid's HYPE token has surged more than 30% to $33, far outpacing bitcoin, ether and the broader crypto market, as trading activity on the platform accelerates.
- The token rally represents the merging of traditional assets with the crypto world, according to Hyperion DeFi, which is a HYPE treasury company.
- Originally a crypto perpetuals exchange, Hyperliquid has expanded into tokenized trading of equity indices, individual stocks, commodities and major fiat pairs via its HIP-3 upgrade.
Top Stories
