Cybersecurity firm Varonis is on to the latest attempt by hackers to crypto-jack computing resources in order to mine the privacy-focused coin Monero. In a report released on Wednesday, August 14th, the company revealed the ‘Norman’ virus designed to mine Monero and evade detection. The virus was detected during a company-wide investigation at a mid-size company that led to the discovery of other kinds of malware within the company’s computing system. As described by Varonis, Norman is “an XMRig-based crypto-miner, a high-performance miner for Monero cryptocurrency.”
According to the report, it seems the virus may have infected the company computers more than a year ago and since that time, the virus has acted as a gateway to downloading more malware to the systems.
Cryptojacking malware is computer viruses that are used by hackers to commandeer a system’s resources in order to contribute to the hackers’ hashing pool. It usually works unbeknownst to the computer user and leads to hogging of resources if not well obfuscated. The only way to discover the presence of a crypto-miner is to run the Task Manager and view the running processes. However, this is the genius that Norman was designed to evade: detection through the Task Manager.
According to the report:
Once running, the malware is designed to avoid detection by terminating the miner when a user opens Task Manager… After Task Manager closes, the malware will execute the [malware] and reinject the miner.
It a rather ingenious design that has allowed the malware to run undetected for so long.
The report also details that the malware is developed in the PHP scripting language and obfuscated using Zend Guard. While analyzing the source files, Varonis discovered some files and code elements written in the French language that led them to conclude that the author of the virus is from a French-speaking country or based in France.
The malware may have originated from France or another French-speaking country: the SFX file had comments in French, which indicate that the author used a French version of WinRAR to create the file.
The crypto-jacking threat is growing more popular by the day as cryptocurrency becomes more mainstream. In addition, threats specifically designed to mine Monero have more prevalent than other cryptocurrencies due to the privacy-focused nature of the cryptocurrency. Going forward, the trend doesn’t seem to abate and the security firm advises that security professionals should keep up with the trend in order to protect their systems better.