A never-before-seen cryptomining variant, dubbed Norman after one of its executable files, has been spotted in the wild using various techniques to hide and avoid discovery. The malware s deployment can be divided into three stages: Execution, injection and mining each with its own evasion methods. Researchers uncovered an initial sample after investigating an ongoing malware infection that had spread to nearly every server and workstation at a midsize company. Norman too at first seemed to be a generic miner hiding itself as svchost.exe, the researchers said.
Source: https://threatpost.com/norman-cryptomining-sophisticated-obfuscation/147310/