A newly-discovered form of cryptocurrency-mining malware is capable of remaining so well-hidden that researchers investigating it found that it had spread to almost every computer at a company that had become infected.
Dubbed ‘Norman’ due to references in the backend of the malware, the cryptojacker has been detailed by cybersecurity researchers at Varonis.
The Monero-cryptomining campaign was uncovered after Varonis’ security platform spotted suspicious network alerts and abnormal file activity on systems within organisations that had reported unstable applications and network slowdown.
Cryptojacking malware exploits the processing power of an infected computer to mine for cryptocurrency – which can cause the system to slow down, even to the point of becoming unusable.
Researchers found that several variants of cryptomining malware had been installed on almost every server and workstation in companies that had fallen victim, and that some machines had even been infected with password stealers – likely used as a means of adding more machines to the mining botnet. It’s unknown how the initial infection took place, but in some cases, the malware had been present for years.
Of those variants, it was Norman which sparked the most interest, as the never-before-seen malware is what the Varonis’ report describes as a “high-performance miner for Monero cryptocurrency”, and was able to employ a number of evasion techniques to avoid discovery.
One way it does this is by terminating the mining process when the Windows Task Manager is opened. It’s a simple trick, but one which stops users from potentially spotting an application that shouldn’t be running, wuapp.exe. After the user closes the Task Manager, Norman resumes its work.
The malware has been built to be extremely persistent and it keeps in regular contact with a command and control server, which if needed, could provide new instructions or terminate the malware, although researchers note that during the analysis, no new commands were received.
It’s unknown who is behind Norman, but researchers suggest that the malware potentially emerged from France or another French-speaking country because there are various strings in the code of the malware which are written in French.