Credit: ShutterstockSecurity firm Varonis has uncovered a new strain of cryptojacking malware called Norman that deploys sophisticated techniques to avoid detection. Cryptojacking is an increasingly popular class of malware that mines cryptocurrencies on devices without permission. According to the researchers, Norman hides itself when you open the Task Manager in Windows to see why your machine is running slow. Once the Task Manager is closed, the cryptojacking malware reinjects itself, as reported by UK tech publication Verdict. The malware is first deployed via svchost.exe, a Windows process used to perform various operations. It injects the Norman.dll payload, which contains the cryptominer, and then it uses advanced obfuscation techniques to avoid detection while mining the Monero cryptocurrency. Monero is one of the cryptocurrencies with the biggest privacy guarantees, which, in this case, can also help hide if mined coins are leaving a user’s computer. Who Made Norman? Cryptojacking Malware’s Origins Are a Mystery Eric Saraga, security researcher and co-author of the Varonis research on Norman, commented on how Norman differentiates from regular malicious cryptominer: “Norman seems to be an elaborate cryptominer, more so than the average cryptominer. It tries to hide from analysis, and it uses elaborate techniques to hide itself further. This is not typical behavior for cryptominers.” He added that “there are no traces of its origin.” The Varonis security researchers couldn’t find too many details about the origin of the Norman cryptojacking malware, except for the code comments written in French. This may indicate the location of the malware maker,… [Read full story]
Leave a Reply