HomeBlockchainSecurityNorman: new malware that mines Monero

Norman: new malware that mines Monero

New research conducted by Varonis Security has revealed how a malware that mines the Monero (XMR) cryptocurrency can hide from the task manager’s list. The malware is Norman and was accidentally discovered during an audit for a company.

According to the report, an anomalous behaviour was detected during the audit: when the famous task manager program was launched to monitor open processes, the malware would self-disable, making it practically invisible.

In detail, the malware, written in .NET and cloaked through Agile, uses installation packages created with Nullsoft Scriptable Install System, while the process uses svchost to launch the malware. 

Also interesting is the way it uses a remote server system using PHP code: this made it possible to trace the origin of the system back to France or at least one country where French is spoken because phrases were found in this language.

As mentioned, this Norman malware is based on the XMRig crypto miner and thus allows mining Monero (XMR); famous for its high anonymity and therefore perfect for this type of activity.

Unfortunately, this is not the first case of this kind of malware: recently another evolution of the virus, Access Mining, has been used both to mine Monero and to install backdoors in infected terminals and resell access credentials.

As recommended in the report, it is always best to keep software up to date, since in many cases known bugs are exploited, access to data is monitored and anomalies in the data are taken into account. Finally, another tip is to control network traffic since, using a firewall or a proxy, it is possible to detect and block malicious communications preventing the execution of commands harmful to the system.


Alfredo de Candia
Alfredo de Candia
Android developer for over 8 years with a dozen of developed apps, Alfredo at age 21 has climbed Mount Fuji following the saying: "He who climbs Mount Fuji once in his life is a wise man, who climbs him twice is a Crazy". Among his app we find a Japanese database, a spam and virus database, the most complete database on Anime and Manga series birthdays and a shitcoin database. Sunday Miner, Alfredo has a passion for crypto and is a fan of EOS.