Security firm Varonis discovers new malware, which has been dubbed “Norman” during a cryptojacking investigation. Cryptojacking is an increasingly prevalent malware type that exploits cryptocurrencies without authorization on computers. Malware ‘Norman’ Evades Detection and Mines Cryptocurrency.
Norman was identified by researchers as a crypto miner based on XMRig, a high-performance cryptocurrency miner for Monero, hosted on GitHib. The new malware that uses various techniques to hide and avoid discovery. The firm also discovered interactive web shell that can be related to the mining operators.
Norman hides when you open the Task Manager in Windows to see why your machine is running slowly, according to investigators.
“Almost every server and workstation was infected with malware. Most were generic variants of crypto miners. Some were password dumping tools, some were hidden PHP shells. Also, some had been present for several years,” Varonis wrote in a press release.
Varonis assumes that the original infection that occurred more than a year ago might have originated from a French-speaking country. As, it had comments in French, which indicate that the author used a French version of WinRAR to create the file.
Malware ‘Norman’ Evades Detection and Mines Cryptocurrency. Furthermore, Varonis does not think that there is a whole community behind Norman. Rather, it believes that a single person with higher than average malware creation skills developed the crypto-jacking malware.
According to the researchers, “most of the malware from this case relied on DuckDNS for command and control (C&C) communications, to pull configuration settings or send updates.”