Norman

Posted: August 15, 2019

Norman Description

Norman is a miner Trojan that uses runs XMRig without the user's consent for generating the Monero cryptocurrency. Its campaign is compromising vulnerable business networks and includes substantial anti-detection and network-traversing support through additional tools. After removing Norman with a reputable anti-malware product, users should change passwords that could be at risk from any related security breaches.

Norman Doesn't Want to Say Hello

With Trojans like the EternalBlue-abusing Smominru, the backdoor-opening Plurox, or the new Norman, XMRig is becoming the miner 'du jour' for any criminals happily collecting Monero finances with others' hardware. While many aspects of the Norman campaign remain similarly generic, once one isolates it from its 'vanilla' components, the Trojan offers bold, new flavors of black hat programming. It places an unusual emphasis in obfuscation and self-defense against being detected, either by sight or automated security tools.

The initial discovery of Norman occurred during an analysis of an undisclosed, mid-size company's breached servers, which found it alongside password-collecting spyware, PHP-based shells for delivering attack commands, and, of course, the ubiquitous XMRig. Although Norman lacks any self-distributing features of its own, the threat actor is, likely, dropping it manually, with the assistance of the shell utilities or other hacking methods. Meanwhile, XMRig is a favorite among mining Trojans for its low-weight, CPU-based feature set.

However, Norman shows other characteristics that are somewhat out of line for a traditional mining Trojan. Malware researchers point out the use of NSIS during the executable's compilation, self-injection, and .NET-based triple obfuscation as some of its more potent defenses against detection. It also carries a failsafe against users double-checking their memory processes – it monitors Task Manager and stops the mining routine temporarily while the memory-monitoring application is open.

Uninviting the Shyest Trojan from the Party

Some of Norman's compilation and commentary data suggests that its threat actor is a native French speaker. To counterbalance this fact, however, readers should be aware that malware analysts find no evidence of Norman's using language settings as part of its victim-filtering system or geo-targeting specific nationalities more than others. Most cryptocurrency-mining Trojans will target victims with weak security, such as businesses using default password settings or outdated infrastructure.

Depending on its XMRig configuration, Norman may abuse hardware until it fails, or the Trojan may run its mining activities indefinitely and without any performance-related symptoms. Victims should respond to Norman infections as being a security breach of similar urgency to that of a RAT or backdoor Trojan, which would grant an attacker remote control over the system and potential network-traversing routes. Disabling Internet connectivity and, with it, Norman's C&C connection is, therefore, a necessity.

Symptoms of Norman infections may not always be present. Windows users can, and should, apply any updates for their anti-malware solutions before scanning for and removing Norman, along with any related threats (such as Mimikatz, a commonly-used password collector).

Norman's attacks aren't of much note, but the degree to which its author protects them is laudable, for a criminal programmer. Trojans putting extra effort into hiding require a corresponding exertion from network administrators, and the cyber-security industry as a whole, to combat.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to Norman may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to Norman may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Related Posts

Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.