In recent years, cryptocurrency mining campaigns have taken a front-row seat in the threat landscape as cryptocurrency has gained popularity among users. As cryptomining campaigns have proven financially profitable for cybercriminals, new TTPs and malware strains are created regularly. Sophos has found such a variant, but it is stronger and more dangerous than before.
The new Tor2Mine variation is a Monero miner that has been operating since at least 2019 and can take advantage of huge networks of worker devices. As new strategies to escape detection and maintain persistence on hacked networks emerge, the authors continue to improve the miner.
There are two varieties to choose from.
Tor2Mine disables anti-malware software, distributes the payload, and steals Windows passwords using a PowerShell script.
Tor2Mine instals executables as a service and searches the network for additional machines to propagate the infection if it is able to get admin access.
If the miner is unable to obtain admin credentials, it can still perform commands as scheduled jobs without having to download anything.
When miners are present on a network, it means that more potentially harmful breaches are on the way. Tor2Mine also appears to be more aggressive than its competitors. It can only be eradicated with the help of endpoint protection and other anti-malware software once it has established persistence. Tor2Mine would continue to infect systems even if the C2 server went down due to its lateral movement feature.
Tor2Mine isn’t the only cryptocurrency miner to be wary of. Let’s take a look at some other recent incidents that are as dangerous.
By hijacking Discord conversations, the new Babadeda crypter has been discovered targeting the crypto, NFT, and DeFi groups. To make their payloads appear harmless, the purportedly Russian hackers are hiding them in application installers.
A campaign propagating the SpyAgent malware has been blamed for some recent cryptomining activity. The malware was discovered exploiting Safib Assistant, a legal Russian remote access programme. Fake cryptocurrency-related websites are used to spread the malware dropper.
Last month, researchers identified a new Aggah campaign that used clipboard hijacking code to alter bitcoin addresses. In the attacks, addresses for Bitcoin, XMR, Ethereum, Doge, XLM, LTC, and XRP were used.
Cryptominers are less likely to target firms that quickly patch vulnerabilities on internet-facing systems, according to Sophos. As threats evolve, it is critical for businesses to stay ahead of the curve by deploying strong cybersecurity protections.