Cyber security company Varonis has announced the discovery of a new Norman miner virus, which hides its presence from the task list.
The report says that Norman was accidentally discovered during an audit of the company that was attacked. The main feature of the miner virus is that when you open the task manager in Windows, the program completes the mining process, so that the user does not realize that his computer has been infected. After the task manager closes, cryptocurrency mining starts again.
Note that Norman is mining the Monero cryptocurrency using the popular miner XMRig. The virus is written in the .NET programming language and has been obfuscated using Agile. For installation, the solution is used to create the Nullsoft Scriptable Install System installation packages, and the svchost system process is used to launch the virus itself. Interestingly, the virus also communicates with a remote server using PHP code.
After a deep analysis of the virus, the researchers concluded that Norman’s country of origin is France or any other French-speaking country, since phrases in French were found in the code.