Norman is a recently discovered XMRig-based cryptominer, a high-performance miner for Monero cryptocurrency, that employs evasion techniques to hide from analysis and avoid discovery. Most of the malware variants rely on DuckDNS, a free Dynamic DNS service. Norman is deployed into three stages: execution, injection, and mining. A mysterious PHP Shell connected to a command-and-control (C&C) server may not be associated with the cryptominer.
Technical Details and Reporting