The US cybersecurity company Varonis has discovered a clever Monero malware miner. “Norman” is particularly good at making oneself invisible – and once again proves that Monero (XMR) lives up to its name as a Privacy Coin.
An American IT security company has discovered a new malware that secretly “scrubs” the crypto currency Monero (XMR) on affected devices. The Malware Miner – dubbed Norman by its discoverers – is said to be particularly adept at hiding.
Norman was discovered by the US cybersecurity firm Varonis. In a blog post , the company published its results on August 14th. The IT experts have found the virus on the network of a corporate customer in which it seems to have been preoccupied with mining malware.
Almost every server and workstation was infected with malware. Most were generic variants of crypto-miners. Some were password dumping tools, others were hidden PHP shells and others had been present for several years. We passed on our findings to the customer, which removed the malware from its environment and stopped the infection.
Of all the crypto-miner samples we found, one stood out. We called her “Norman”,
it says on the company blog. What sets Norman apart from its criminal competition is its ability to remain undetected. The malware-based Monero Miner XMRig-based malware initially creates an infected copy of the Windows svchost.exe system process. Norman injects it into the explorer.exe file of the Windows user. It then injects the malware into the wuapp.exe process, which is usually responsible for Windows updates.
Especially perfidious: When you open the Task Manager wuapp.exe closes automatically. Norman succeeds in avoiding a first, superficial screening by the user. The researchers have not been able to determine the origin of Norman yet – there is only evidence that the perpetrator has used a French-language version of the compression program WinRar.
Malware mining widespread at Monero
There’s a reason why the Privacy Coin Monero is just perfect for malware mining attacks. For example, XMR transactions are difficult to trace back using ring signatures and decoy transactions, Add to this the fact that XMR tokens are fungible. This has, among other things, the consequence that individual Monero units (and / or addresses) can not be branded because, for example, they are associated with illegal activities. Especially the latter can be observed more and more frequently in connection with Bitcoin exchange hacks. Blockchain analysis companies can thus track stolen BTC by watching bitcoin addresses of alleged perpetrators. Unlike Monero, Exchanges also have the ability to stop selling BTC counterfeit goods on their platforms. Whether they always do that, of course, is an open question.
For example, crypto-journalist Dovey Wan has recently released Bitcoin addresses from the alleged masterminds behind Project Plus Token. Apparently, larger amounts of the estimated 200,000 captured BTC are currently in motion.
How I get these addresses? These were the ones PlusToken ppl posted in their own chats for new members to send coins over, and are the only ones in Chinese chat I can find
they also have branches in Korea, Japan and Malaysia AFAIK, which i have no visibility https://t.co/Is20VzzPgb
— Dovey Wan 🗝 🦖 (@DoveyWan) August 15, 2019
A connection with the recent break in the Bitcoin course can not be ruled out. Bitcoin Exchanges would therefore do well to keep a close eye on the alleged stolen goods. The transparency of the Bitcoin Blockchain allows this in principle. However, it becomes difficult when Bitcoin mixers are used – but these are only partially suitable for larger sums BTC.
The steal addresses at Monero make the Privacy Coin an anonymous crypto currency – that’s why XMR is particularly popular with malware miners. Meanwhile, with the so-called access mining attracts a new threat to Windows users.
Image via Shutterstock