Tor2Mine is Back, Controls Mining Programs

With an aim to control Monero mining activities by spreading trojans and other means, Tor2Mine, a cryptocurrency mining threat actor, makes a comeback after 2018.

What’s going on?

  • According to 360 Security Center, Tor2Mine is reducing the users to mining “black labor,” and so far has targeted Turkey, Spain, Russia, and Egypt.
  • Since March, the Tor2Mine mining program has grown dramatically by controlling a large number of devices and attaining viral transmission via lateral penetration.
  • Tor2Mine hides its mother program containing the trojan in download sites. The mining trojan quickly infects and occupies the users’ computers by creating scheduled tasks. It also spreads horizontally.

How does Tor2Mine operate?

  • After hacking the victims’ computers, the mining trojan runs a PowerShell code as the XMRigCC mining program loader. This operation determines whether the current process authority belongs to the administrator group. It further decides whether to close the security software and mining-related services.
  • If a user has the administrator group permission, the trojan loader includes the execution path of the mining program and closes the software processes, such as Windows Defender, Sophos, and Hitman.
  • These operations set PowerShell preferences to avoid warnings and continue to silently execute, hiding its actions.
  • At first, the trojan loader tries to clean up the existing services and mining programs, and then downloads and replaces the original java.exe/javaw.exe as the main mining program.
  • Furthermore, the loader creates several scheduled tasks and services to run the mining program and interact with the dark web server via the Tor2web service.
  • Tor2Mine also leverages the password collecting artifact, Mimikatz, to steal user credentials for horizontal penetration.

Towards safer bitcoin mining

Embrace robust security programs that can effectively intercept cryptomining campaigns, such as Tor2Mine, identify fraudulent websites, and block phishing links. Organizations need to implement better controls on the access rights of workstations or related servers to circumvent an infection’s horizontal spread.