“Two varieties of Tor2Mine miner dig deep into networks with PowerShell, VBScript,” according to Sophos, reveal how the miner evades detection, spreads automatically through a target network, and is becoming increasingly difficult to remove from an infected PC. Tor2Mine is a Monero miner with at least two years of experience.
“The presence of miners, like Tor2Mine, in a network is almost always a harbinger of other, potentially more dangerous intrusions. However, Tor2Mine is much more aggressive than other miners,” said Sean Gallagher, senior threat researcher at Sophos.
He added, “Once it has established a foothold on a network, it is difficult to root out without the assistance of endpoint protection software and other anti-malware measures. Because it spreads laterally away from the initial point of compromise, it can’t be eliminated just by patching and cleaning one system. The miner will continually attempt to re-infect other systems on the network, even after the command-and-control server for the miner has been blocked or goes offline. As cryptocurrencies continue to increase in value and support the ever-growing ransomware and cyberextortion landscape, we may well see more, and more aggressive, variants of other cryptominers emerge.”
“Miners are a low-risk way for cybercriminals to turn a vulnerability into digital cash, with the greatest risk to their cash flow being competing miners discovering the same vulnerable servers,” said Gallagher.
Sophos identifies new miner variants that incorporate a PowerShell script that tries to disable malware protection, execute the miner payload, and steal Windows administrator credentials, according to the research. The next step is determined by whether the attackers were able to get administrator rights using the stolen credentials. This procedure is followed for all of the variants examined.
For example, if the attackers are able to obtain administrative credentials, they will be able to gain the privileged access necessary to install the mining files. They can also look for additional devices on the network to install the mining files on.
If the attackers are unable to get administrator credentials, Tor2Mine can still start the miner remotely and without a file by executing commands as scheduled jobs. The mining software is stored remotely rather than on a hacked workstation in this case.
All of the variations try to disable anti-malware software and install the same miner code. Similarly, unless it finds malware security or is totally removed from the network, the miner will continue to infect systems on the network.
Scripts designed to kill a range of processes and functions were also identified by Sophos researchers. Almost majority of them are connected to malware, such as cryptominers and clipper software that steals bitcoin wallet addresses.
To help enterprises secure their networks and endpoints from cryptominers like Tor2Mine, Sophos suggests the following:
1. Quickly patch software vulnerabilities in internet-facing systems such web applications, VPN services, and email servers to make them less vulnerable to cryptominers.
2. Use anti-malware software — miners are frequently discovered by anti-malware software, especially those that use Windows’ Anti-Malware Software Interface (AMSI) to detect scripts meant to disable malware protection.
3. Keep an eye out for unusually high processing power usage, poor computer performance, and higher-than-expected electricity bills, all of which could signal the presence of cryptominers on the network.
Sophos recognises Tor2Mine variants as members of the MineJob family (MineJob-A through E) and recognises each variant’s script behaviour.