Security firm Varonis has uncovered a new strain of cryptojacking malware called Norman that deploys sophisticated techniques to avoid detection. Cryptojacking is an increasingly popular class of malware that mines cryptocurrencies on devices without permission.
According to the researchers, Norman hides itself when you open the Task Manager in Windows to see why your machine is running slow. Once the Task Manager is closed, the cryptojacking malware reinjects itself, as reported by UK tech publication Verdict.
The malware is first deployed via svchost.exe, a Windows process used to perform various operations. It injects the Norman.dll payload, which contains the cryptominer, and then it uses advanced obfuscation techniques to avoid detection while mining the Monero cryptocurrency. Monero is one of the cryptocurrencies with the biggest privacy guarantees, which, in this case, can also help hide if mined coins are leaving a user's computer.
Who Made Norman? Cryptojacking Malware's Origins Are a Mystery
Eric Saraga, security researcher and co-author of the Varonis research on Norman, commented on how Norman differentiates from regular malicious cryptominer:
“Norman seems to be an elaborate cryptominer, more so than the average cryptominer. It tries to hide from analysis, and it uses elaborate techniques to hide itself further. This is not typical behavior for cryptominers.”
He added that “there are no traces of its origin.”
The Varonis security researchers couldn’t find too many details about the origin of the Norman cryptojacking malware, except for the code comments written in French. This may indicate the location of the malware maker, or it could be yet another obfuscation technique, this time implemented to hide the identity of the malware’s creator rather than the location of the malware on a user PC.
However, Varonis doesn’t believe that there is a whole group behind Norman. Instead, it thinks it’s much more likely that the cryptojacking malware was developed by a single person with higher than average malware-creation skills.
Cryptojacking started rising in 2017, when the profits from cryptocurrency mining were also high. The use of cryptomining malware has died down somewhat in 2018, as the value of cryptocurrencies plummeted. However, with the value of cryptocurrencies on a seemingly rising trend again, we may see malware creators start embracing cryptojacking once again in the coming months and year.