Norman malware hides the program process when Windows Task Manager was opened

Researchers at data security firm Varonis have recently discovered a new variant of monero-mining malware called “Norman.” The malware exploits the processing power of the infected computer to mine the cryptocurrency, causing the system to slow down or become unusable. ​

Norman’s hiding ability is extremely strong. When a technician discovers its trail, the malware has infected almost all of the computers of the victim company and may have existed for many years. Norman is so hidden because hackers use a variety of evasive detection techniques. For example, the malware automatically terminates the program process when the user opens the Windows Task Manager and resumes work after the user closes the task manager to prevent the user from discovering that a strange process is running.

This kind of malware can not only lurk for a long time but also accept the instructions of the hacker through the command and control server. But the researchers said they were not sure if the attacker really “managed” the malware. In addition, the researchers believe that Norman’s developers may come from France or other French-speaking countries because the malware code contains strings written in French. Experts say using malware to mine cryptocurrencies is one of the most popular forms of cybercrime last year. Users should update security patches in a timely manner and always pay attention to abnormal CPU activity to prevent infections like malware.

Via: TNW