Cryptocurrency mining campaigns have taken a front seat in the threat landscape as cryptocurrency has gained immense popularity among netizens. Cryptomining campaigns have proven to be financially fruitful for cybercriminals and hence, they keep coming up with new TTPs and malware strains. One such miner variant has returned, found Sophos, only stronger. 

What’s going on?

The new Tor2Mine variant is a Monero miner that has been active since at least 2019 and is capable of leveraging entire networks of worker machines. The authors keep upgrading the miner as they find new ways to avoid detection and sustain persistence on compromised networks.  

It comes in two flavors

Tor2Mine uses a PowerShell script to disable anti-malware solutions, deploy the payload, and steal Windows credentials. 
  • If it is able to gain admin privileges, Tor2Mine installs executables as a service and looks for other machines in the network for further propagation.
  • If it is unable to gain admin credentials, the miner can execute filelessly via commands run as scheduled tasks. 

Why this matters

The presence of miners in a network implies that more potentially dangerous intrusions may come. Moreover, Tor2Mine seems to be more aggressive than its contemporaries. Once it establishes persistence, it can only be removed with the aid of endpoint protection and other anti-malware software. Even if the C2 server goes offline, Tor2Mine would continue infecting systems because of its lateral movement functionality. 

Some of the latest cryptomining threats

Tor2Mine isn’t the only cryptominer we should be careful about. Let us take a look at some recent other instances, which are equally threatening.
  • The new Babadeda crypter was found targeting the crypto, NFT, and DeFi communities by hijacking Discord channels. The allegedly Russia-based hackers are hiding their payloads in application installers to appear harmless. 
  • Some recent cryptomining activity has been attributed to a campaign spreading the SpyAgent malware. The malware was found exploiting a legitimate Russian remote access tool, dubbed Safib Assistant. The malware dropper is propagated via fake cryptocurrency-related websites.
  • Last month, a new Aggah campaign was discovered deploying clipboard hijacking code to replace cryptocurrency addresses. The attacks used Bitcoin, XMR, Ethereum, Doge, XLM, LTC, and XRP addresses used in the attacks. 

The bottom line

Sophos says that organizations that rapidly patch vulnerabilities on internet-facing systems are less likely to fall victim to cryptominers. As threats keep evolving, it is paramount for organizations to keep ahead of the game by employing robust cybersecurity defenses.

Cyware Publisher

Publisher

Cyware