New research conducted by Varonis Security has revealed how a malware that mines the Monero (XMR) cryptocurrency can hide from the task manager’s list. The malware is Norman and was accidentally discovered during an audit for a company.
According to the report, an anomalous behaviour was detected during the audit: when the famous task manager program was launched to monitor open processes, the malware would self-disable, making it practically invisible.
In detail, the malware, written in .NET and cloaked through Agile, uses installation packages created with Nullsoft Scriptable Install System, while the process uses svchost to launch the malware.
Also interesting is the way it uses a remote server system using PHP code: this made it possible to trace the origin of the system back to France or at least one country where French is spoken because phrases were found in this language.
As mentioned, this Norman malware is based on the XMRig crypto miner and thus allows mining Monero (XMR); famous for its high anonymity and therefore perfect for this type of activity.
Unfortunately, this is not the first case of this kind of malware: recently another evolution of the virus, Access Mining, has been used both to mine Monero and to install backdoors in infected terminals and resell access credentials.
As recommended in the report, it is always best to keep software up to date, since in many cases known bugs are exploited, access to data is monitored and anomalies in the data are taken into account. Finally, another tip is to control network traffic since, using a firewall or a proxy, it is possible to detect and block malicious communications preventing the execution of commands harmful to the system.