Varonis published a report about Norman on August 14. According to the report, Varonis discovered Norman as one of the numerous cryptojacking viruses sent in an attack that affected machines at a mid-size firm.
Hackers and cybercriminals deploy cryptojacking hardware to utilize the computing power of clueless users’ machines to mine cryptocurrencies, just like the privacy-oriented coin Monero.
Norman in specific is a crypto miner based on XMRig, which is depicted in the report as a high-performance miner for Monero cryptocurrency. One of the critical highlights of Norman is that it’ll close the crypto mining process in reaction to a client opening up Task Manager. Then, after Task Manager closes, Norman utilizes a method to relaunch the miner.
Varonis researchers said that Norman is based on the PHP programming language and is obfuscated by Zend Guard.
The researchers also guessed that Norman comes from a French-speaking nation, due to the presence of French variables and functions inside the virus’ code.
Also, there are French comments inside the self-extracting document (SFX) record. This demonstrates, according to the report, that Norman’s maker utilized a French adaptation of WinRAR to make the SFX file.
Another cybersecurity company revealed an unsettling overhaul to a strain of XMR mining malware last week. Carbon Black found that a type of malware called Smominru is presently stealing client information alongside its mining operations. The company believes that programmers may sell the stolen information on the dark web.
In its report, Carbon Black said:
“This discovery indicates a bigger trend of commodity malware evolving to mask a darker purpose and will force a change in the way cybersecurity professionals classify, investigate and protect themselves from threats.”