New Monero-Focused Cryptojacking Tool Discovered

Researchers have discovered Norman, a new cryptocurrency mining malware that comes with a bit of a kink to it.

Earlier this week, researchers from cybersecurity company Varonis published a report, which detailed how they discovered Norman, a cryptojacking malware, amongst several viruses deployed in an attack on an unnamed mid-sized company.

Norman works just like just about every other cryptojacking tool; it gets installed onto a computer through any of several means, then it goes to work, using the computers processing power to mine a crypto asset and send it to the wallet address of the attacker.

According to Varonis, Norman mines privacy-focused crypto token Monero, as it is based on XMRig; a high-performance miner for the asset. The cybersecurity experts wet further, claiming that Norman will automatically shut down its crypto mining process as soon as the computer user opens the Task Manager. However, as soon as the Task Manager is closed, the mining tool gets back to work, using the closure process to re-launch its miner and continue making money for the attacker(s).

Researchers concluded that Norman is based on PHP, a popular programming language, while Zend Guard (a PHP encoding product) keeps it hidden from the Task Manager of a victim computer. They also pointed out that the virus underlying code contains a large number of French variables and functions, opining that cyber attackers based out of France could have developed it.

The discovery of Norman is merely the latest development in Monero targeted cryptojacking discoveries. Just last week, Carbon Black, another cybersecurity company, claimed in a report that its Threat Analysis Unit uncovered a development in Smonmiru, another cryptojacking took.

Smonmiru and the newly-discovered Norman have pretty much everything in common; they’re both cryptojacking tools, and they help attackers mine Monero. However, while Norman seems to be the new kid around the lock, Smonmiru is a familiar threat. It was first discovered back in February 2018, although it was said to have been operational since May 2017.

Now, the latter seems to be evolving. According to the post from Carbon Black, Smonmiru was recently updated and is now able to steal personal information from the victim computers as well. The company detailed that a recent investigation showed that the tool is using “sophisticated, multi-stage malware that was sending detailed system metadata to a network of hijacked web servers.”

Stolen personal information is then taken to the Dark Web, where the attackers can make additional profit. Talk about a decent side hustle. Carbon Black revealed that Smonmiru has attacked up to half a million computers already, with the number poised to be much higher than their estimates.

The recent discoveries only go to show how much cryptocurrency exchanges, miners, and other enthusiasts will need to step their security up. Attackers are evolving in the way they go about their operations, and while Monero might not be as popular as Bitcoin, it is only a matter of time before hackers turn their attention to the latter.

With Bitcoin trading at some pretty impressive prices lately, its profitability and acceptance seem to be rising by the day. Crypto criminals seem to have found new boldness, and they will be looking to test their abilities on the world’s most popular crypto asset next.