Norman is a recently discovered XMRig-based cryptominer, a high-performance miner for Monero cryptocurrency, that employs evasion techniques to hide from analysis and avoid discovery. Most of the malware variants rely on DuckDNS, a free Dynamic DNS service. Norman is deployed into three stages: execution, injection, and mining. A mysterious PHP Shell connected to a command-and-control (C&C) server may not be associated with the cryptominer.

Technical Details and Reporting

  • For technical analysis and IOCs please review the Varonis blog post.

  • The Threat Post provides further reporting here.