New “Norman” Miner Malware Uncovered, Hides When You Open Task Manager

Norman Malware Featured

When you think you have a virus hogging your resources, you can double-check the Task Manager to spot any weird processes being carried out. But what if a virus that infects your PC knows if you opened the Task Manager and hid when you were looking for it?

This scenario is what the new Norman miner malware does, making it a tricky problem to fight!

How Norman Was Spotted

Norman came to light after a security company called Varonis saw some strange activity from the servers of one of their customer’s companies. They noticed that the devices showing odd signs were from the same customer that was reporting a slow-down on their systems. As such, Varonis sent out a security team to see what was happening.

Norman Malware Technician

When the team checked the company’s computers, they found that every single device had been infected with a cryptominer. It explained why the machines weren’t working as quickly as they used to: the cryptominer developer was siphoning off processing power to mine Dinero.

What’s worse, the infection had been going around the network for a year before Varonis arrived on the scene. This delay meant that whoever set the initial infection had probably made a lot of cryptocurrency in the time it took to find their miner!

How Norman Works

When Norman is left alone, it’ll happily mine for its owner. This action takes a toll on the system’s resources, which will cause some people to bring up the Task Manager to find out what’s hogging their processor.

Norman’s design combats this by watching for when the user opens Task Manager. When it spots this, it immediately terminates the mining process, which removes it from the list of processes running on the computer. As such, the user doesn’t see what’s causing the problem and assumes everything is fine. Below you can see how the malware (called “wuapp”) vanishes when Task Manager (called “Taskmgr”) enters the scene.

Norman Malware Example

When the user looks away from Task Manager, the malware re-injects the miner and resumes its process. This tactic means the malware has the best of both worlds. It can hog system resources when it’s not under scrutiny and remove all trace when the user tries to track it.

How to Protect Against Cryptominers

Cryptominers are best tackled by not allowing them to install in the first place. Have an up-to-date antivirus checking your system for radicals, and keep your operating system up to date to prevent any hole exploits.

Norman Malware Currency

If you do notice your system resources are being taken up by something, do an antivirus check to see if malware is lurking. If you think Norman may be hiding, you can use a different process viewer than Task Manager to catch it in the act. The above GIF seems to be using Process Hacker, so give it a try!

Nothing Normal About Norman

Cryptominers make their owners a lot of money, but they have the telltale sign of slowing down the computer they’re on. Norman tries to hide from Task Manager, but there are ways to defend yourself from it. Even if it gets onto your system, an alternate process monitor should catch it in the act.

Does this new development in cryptominers concern you? Let us know below.

Image credit: Varonis

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox