Sophos describes new variants of the Tor2Mine Cryptominer with new variants that are characterized by improved bypass, persistence and dissemination capabilities. If he is found in the network, he is usually not traveling alone.
The Sophos Analysis "Two flavors of Tor2Mine miner dig deep into networks with PowerShell, VBScript" shows how the miner evades detection, spreads automatically in a target network and is increasingly difficult to remove from an infected system. Tor2Mine is a Monero miner that has been active for at least two years.
Monero miner Tor2Mine spreads automatically
In the investigation, Sophos describes new variants of the miner that contain a PowerShell script that attempts to disable malware protection, execute the miner's payload, and steal Windows administrator credentials. What happens then depends on whether cyber criminals manage to gain administrator rights with the stolen credentials. This process is the same for all variants examined.
If the attackers manage to obtain administrative credentials, for example, they can secure the privileged access they need to install the mining files. You can also search the network for other computers on which to install the mining files. This allows Tor2Mine to spread and establish itself on computers in the network.
Tor2Mine is looking for computing power
Even if the attackers cannot gain administrative rights, Tor2Mine can still run the miner remotely and without files by using commands that run as scheduled tasks. In this case, the mining software is stored remotely and not on an attacked computer.
Turn off anti-malware protection
What they all have in common is that they try to switch off the anti-malware protection and install the same mining code. In all cases, the miner will continue to infect systems on the network until it encounters malware protection or is completely removed from the network. The Sophos researchers also discovered scripts that terminate a wide variety of processes and tasks. Almost all of them are related to crimeware, including competing Cryptominers and Clipper malware that steals cryptocurrency wallet addresses.
"Miners are a low-risk way for cybercriminals to turn a vulnerability into digital cash, with the biggest risk to their cash flow being competing miners discovering the same vulnerable servers," said Sean Gallagher, senior threat researcher at Sophos.
More at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.