Norman Cryptominer Employs Sophisticated Obfuscation Tactics
Security researchers with Varonis have spotted a sophisticated new strain of cryptomining malware that uses various obfuscation tactics in order to avoid detection. The researchers describe the cryptominer, dubbed “Norman,” as “a high-performance miner for Monero cryptocurrency,” that distinguishes itself from other miners in the way it “employs evasion techniques to hide from analysis and avoid discovery.”
The rogue installation of Norman on a targeted system follows three stages, all of which involve obfuscation. Moreover, the malware adjusts its installation process based on the details it gathers about the underlying operating system. The researchers believe that Norman “possibly originated from France or another French-speaking country” because the code contains comments in French.