As cryptocurrencies have grown in popularity among netizens, cryptocurrency mining campaigns have taken center stage in the threat landscape. Crypto mining campaigns have proven to be financially rewarding for cybercriminals, thus they continue to develop new TTPs and malware strains. Sophos discovered that one such miner variant has resurfaced, only stronger.
Tor2Mine is a Monero miner that has been operating since at least 2019 and is capable of utilizing huge networks of worker devices. Most of these miners carry out these campaigns against Monero. The altcoin appeals to hackers due to its private and untraceable nature. It employs Microsoft's PowerShell scripting language to disable pre-existing malware security on a server and execute a miner payload, which is a stealthy malware designed to farm system resources.
Tor2Mine also collects Windows credentials, which it uses to distribute and re-infect other PCs on the compromised network. Other systems are not protected if it is not totally removed. Sophos also reported that, while there was a surge in Tor2Mine infections in early 2021, the fall has been accompanied by the development of new variants. These are most likely the result of minor changes made by separate sets of operators or by the same actors between campaigns.
The presence of miners in a network implies the possibility of more potentially harmful intrusions. Furthermore, Tor2Mine appears to be more aggressive than its competitors. Once it has established persistence, it can only be eliminated using endpoint protection and other anti-malware software. Tor2Mine would continue infecting systems even if the C2 server went down due to its lateral movement feature.
With the spread of cryptocurrency enthusiasm, illicit mining has become a well-established method of obtaining digital assets illegally. According to a new Google cyber security report, 86% of compromised Google Cloud accounts are used for illegal cryptocurrency mining, as well as monitoring and assaulting other prospective targets.
Interestingly, according to a June research by Kaspersky, crypto-jacking has declined from its peak in 2017-18 during the initial crypto-boom. The total number of users who encountered miners on their devices, on the other hand, grew to 200,045 in March from 187,746 in the first quarter of this year.
According to Sophos, firms that quickly fix vulnerabilities on internet-facing systems are less likely to be targeted by crypto miners. As threats evolve, it is critical for enterprises to stay ahead of the game by deploying strong cybersecurity protections.
