This spooky Monero-mining malware waits to be controlled remotely

Cybersecurity researchers have discovered a mysterious new strain of cryptocurrency mining (cryptomining) malware that employs powerful techniques to avoid detection and analysis.

Software firm Varonis determined the malware is based on Monero mining software XMRig, which is open source and hosted on GitHub. Hard Fork has previously reported on other notable instances of cryptomining malware that utilize XMRig.

To date, Norman has hit at least one “mid-size” company, having infected almost every workstation and server on its network.

“Most were generic variants of cryptominers. Some were password dumping tools, some were hidden PHP shells, and some had been present for several years,” wrote Varonis. “Out of all the cryptominer samples that we found, one stood out. We named it ‘Norman.’”

Norman is an especially crafty strain of malware

Analysts determined this strain of malware deploys itself in three separate stages: execution, injection, and then finally, cryptocurrency mining.

Once a target executes the malicious file, the virus will proceed differently depending on the machine’s operating system bit type (32-bit or 64-bit), but it generally serves two functions: mine Monero and avoid detection.

In particular, Norman automatically shuts down malicious processes when the user opens Windows Task Manager. Sneaky.