Back to top

Found a miner virus that hides its presence in the system

Varonis, a cyber security company, has discovered a new miner virus which called Norman. The program is trained to hide its presence and does not appear in the list of tasks of the operating system.

A published report by Varonis reports that the virus was accidentally detected during an audit of the company that was attacked. A key feature of the malware miner is that when you open the task manager in Windows, malware quickly completes the mining process.

Therefore, the user does not realize that his computer has been infected. After a person closes the task manager, the program again begins to mine cryptocurrency.

Note that Norman is mining the Monero cryptocurrency using the popular miner XMRig.

After conducting an in-depth analysis of the virus, cybersecurity experts said the virus was written in the .NET programming language and was obfuscated using Agile. For installation, the solution is used to create the Nullsoft Scriptable Install System installation packages, and the svchost system process is used to launch the virus itself. Interestingly, the virus also communicates with a remote server using PHP code.

Since a lot of phrases in French were found in the program code, Varonis experts came to the conclusion that the country of origin of the malware is France or another French-speaking country.

1 Star2 Stars3 Stars4 Stars5 Stars (2 votes ≈ 5.00 out of 5)