Home > News

New “Norman” Miner Malware Uncovered, Hides When You Open Task Manager

By Simon Batt
Norman Malware Featured

When you think you have a virus hogging your resources, you can double-check the Task Manager to spot any weird processes being carried out. But what if a virus that infects your PC knows if you opened the Task Manager and hid when you were looking for it?

This scenario is what the new Norman miner malware does, making it a tricky problem to fight!

Also read: Microsoft Warns of Hard-to-Spot Fileless Malware, “Astaroth”

How Norman Was Spotted

Norman came to light after a security company called Varonis saw some strange activity from the servers of one of their customer’s companies. They noticed that the devices showing odd signs were from the same customer that was reporting a slow-down on their systems. As such, Varonis sent out a security team to see what was happening.

Norman Malware Technician

When the team checked the company’s computers, they found that every single device had been infected with a cryptominer. It explained why the machines weren’t working as quickly as they used to: the cryptominer developer was siphoning off processing power to mine Dinero.

What’s worse, the infection had been going around the network for a year before Varonis arrived on the scene. This delay meant that whoever set the initial infection had probably made a lot of cryptocurrency in the time it took to find their miner!

How Norman Works

When Norman is left alone, it’ll happily mine for its owner. This action takes a toll on the system’s resources, which will cause some people to bring up the Task Manager to find out what’s hogging their processor.

Norman’s design combats this by watching for when the user opens Task Manager. When it spots this, it immediately terminates the mining process, which removes it from the list of processes running on the computer. As such, the user doesn’t see what’s causing the problem and assumes everything is fine. Below you can see how the malware (called “wuapp”) vanishes when Task Manager (called “Taskmgr”) enters the scene.

Norman Malware Example

When the user looks away from Task Manager, the malware re-injects the miner and resumes its process. This tactic means the malware has the best of both worlds. It can hog system resources when it’s not under scrutiny and remove all trace when the user tries to track it.

How to Protect Against Cryptominers

Cryptominers are best tackled by not allowing them to install in the first place. Have an up-to-date antivirus checking your system for radicals, and keep your operating system up to date to prevent any hole exploits.

Norman Malware Currency

If you do notice your system resources are being taken up by something, do an antivirus check to see if malware is lurking. If you think Norman may be hiding, you can use a different process viewer than Task Manager to catch it in the act. The above GIF seems to be using Process Hacker, so give it a try!

Nothing Normal About Norman

Cryptominers make their owners a lot of money, but they have the telltale sign of slowing down the computer they’re on. Norman tries to hide from Task Manager, but there are ways to defend yourself from it. Even if it gets onto your system, an alternate process monitor should catch it in the act.

Does this new development in cryptominers concern you? Let us know below.

Image credit: Varonis

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox

Simon Batt Avatar
Simon Batt
Simon Batt is a Computer Science graduate with a passion for cybersecurity.

Read next

In 2016, archaeologists dated two rings of snapped stalagmites in France’s Bruniquel Cave to 176,500 years ago, evidence that Neanderthals had walked 336 metres into darkness with fire and built architecture deep underground long before modern humans reached Europe
Otto von Bismarck was 74 when Germany adopted the world’s first national old-age social insurance program in 1889, setting the pension age at 70 after years of fighting socialists with bans, laws, and a promise few workers would live long enough to use
When cosmonaut Valeri Polyakov stepped out of his Soyuz capsule in March 1995 after 437 consecutive days aboard Mir, doctors recorded him at several centimetres above his pre-flight height, and his spine had become so unaccustomed to gravity that the recovery team carried him to a chair rather than risk the compression of letting him walk.
When Bell Labs engineer Karl Jansky pointed a rotating antenna at the sky in 1932 looking for sources of transatlantic radio static, he kept picking up a faint hiss that peaked every 23 hours and 56 minutes, and he eventually realized he had become the first human to hear the center of the Milky Way.
A contemplative scene with two scientists in a vintage laboratory setting.
When Harvard astronomer Cecilia Payne submitted her 1925 doctoral thesis arguing that the Sun was made almost entirely of hydrogen, the field’s senior figure Henry Norris Russell talked her into adding a line calling the result ‘almost certainly not real,’ and then published the same conclusion himself four years later to widespread acclaim.
When seismic waves from the Chicxulub impact reached what is now North Dakota roughly ten minutes after the asteroid struck, they appear to have triggered a ten-metre standing wave in an inland river that flung fish onto the bank and buried them under glass beads still falling from the sky.
When survivors near Lake Nyos woke on the morning of 22 August 1986, the cattle were dead in the fields, the birds had fallen out of the trees, and 1,746 of their neighbours were lying where they had stood the night before, with no fire, no flood, and no wound to explain it.
In October 2002, a Russian scientist named Dimitri Malashenkov stood up at a space conference in Houston and quietly explained that the dog Laika, whom the Soviet Union had publicly mourned as a heroic week-long orbiter in 1957, had actually died of heat and panic within about five hours of launch.