Sophos, the cybersecurity firm, today released new findings on the Tor2Mine cryptominer that show how the miner evades detection, spreads automatically through a target network and is increasingly harder to remove from an infected system. Tor2Mine is a Monero-miner that has been active for at least two years.
New variants
Sophos’s report describes new variants of the miner that include a PowerShell script that attempts to disable malware protection, execute the miner payload and steal Windows administrator credentials. This process is the same for all the variants analyzed.
If the attackers manage to obtain administrative credentials, they can secure the privileged access they need to install the mining files. The attackers can then search a network for other machines that they can install the mining files on. This enables Tor2Mine to spread further and embed itself on computers across a network.
If the attackers cannot gain administrative privileges, Tor2Mine can still execute the miner remotely and filelessly by using commands that are run as scheduled tasks. In this instance, the mining software is stored remotely rather than on a compromised machine.
Network infection
The variants all attempt to shut down anti-malware protection and install the miner code. In all cases, the miner will continue to re-infect systems on a network unless it encounters malware protection or is completely eradicated from the network.
“The presence of miners, like Tor2Mine, in a network is almost always a harbinger of other, potentially more dangerous intrusions. However, Tor2Mine is much more aggressive than other miners,” said Sean Gallagher, senior threat researcher at Sophos. “Once it has established a foothold on a network, it is difficult to root out without the assistance of endpoint protection software and other anti-malware measures.
“Because it spreads laterally away from the initial point of compromise, it can’t be eliminated just by patching and cleaning one system. The miner will continually attempt to re-infect other systems on the network, even after the command-and-control server for the miner has been blocked or goes offline. As cryptocurrencies continue to increase in value and support the ever-growing ransomware and cyberextortion landscape, we may well see more, and more aggressive, variants of other cryptominers emerge,” he added.
Sophos researchers also discovered scripts designed to stop a variety of processes and tasks. The majority are related to crimeware, including competing cryptominers and clipper malware that steals cryptocurrency wallet addresses.
Protective measures
Sophos recommends the following steps to protect networks and endpoints against cryptominers:
- Patch software vulnerabilities quickly on internet-facing systems
- Install anti-malware products – miners are usually easily detected by these programs
- Monitor for unusually heavy use of processing power, reduced computer performance and higher than expected electricity bills, as these are indicators of cryptominers on the network
Sophos detects Tor2Mine variants as the MineJob family (MineJob-A through E) and detects the script behaviors of each variant.
Indicators of compromise for the Tor2Mine variants are available on SophosLabs’ GitHub page.
Sophos recently uncovered a cryptocurrency scam aimed at individuals seeking to trade currencies using mobile devices.
