Tor2Mine cryptominer is warning sign of network exploitation • The Register

Cryptominer malware removal is a routine piece of the cybersecurity landscape these days. Yet if criminals are hijacking your compute cycles to mine cryptocurrencies, chances are there’s something worse lurking on your network too.

So warned Sophos threat researcher Sean Gallagher, in a recent interview with The Register as the antivirus organisation launches a report into the Tor2Mine cryptominer.

Tor2Mine is unremarkable, other than for its persistence features. If it gets onto your network it starts mining the Monero cryptocurrency, favoured by e-crims because (unlike Bitcoin) wallets aren’t publicly visible, meaning transactions can’t be easily traced by investigators.

The cryptominer spreads through exploitations of remote code execution bugs, said Sophos, though the malware itself also steals Windows credentials before trying to spread laterally through a host network.

Tor2Mine was first seen in 2018 by Cisco Talos, as that infosec organisation explained in a 2020 blog post alerting the world to a sudden burst of activity from the criminals operating the malware. Since then, some of its C2 infrastructure has died – but that hasn’t stopped the cryptominer from causing a headache.

“In a case we recently dealt with, the actual C2 for the miner had been dead for several months,” said Gallagher. “But the miner was still spreading, it was still trying to reach back and spread itself again, even after we removed it. Because there were other systems on the network that we didn’t have access to that had the scripts running on them… that were attempting to reinstall it.”

Some variants use Tor for command-and-control (C2), as described by Gallagher, but its latest evolution uses Powershell scripts to kill anti-malware software on the host device to ease its spread, planting persistence scripts through techniques such as planting them in Windows scheduled tasks. Not only that, but it also ousts rival malware gangs’ cryptominers, he told us.

“So there’s one script in this thing called DEL.ps1,” said the Sophos researcher. “It had a whole list of IoCs [indicators of compromise] for other miners, and went through and tried to remove them as part of [its own] installation process because then they get the maximum amount of computing power.”

Gallagher concluded: “If you have a miner on your network, especially a server based miner, it’s not just a sign that you had somebody click on something and you’ve got a miner on your network.

“It’s a situation where you have a vulnerability that is public enough, and widely disseminated enough, that somebody who is trying to take advantage of that access has gotten on your network.

“More bad things could be going on that you don’t even know about,” he warned.

Back in 2017, Malwarebytes discovered miscreants using custom Javascript to keep in-browser cryptominers running after the target browsed away from the webpage hosting its code.

Killing rival cryptominers at installation was observed the following year by the SANS Internet Storm Centre, while Check Point declared that cryptominers were definitely on the rise by mid-2018.

Cryptomining’s popularity declined, though it never truly went away, as ransomware became more accessible to the average internet criminal, combined with the COVID-19 pandemic-led leap in ransomware attacks.

It’s probably better to take the CPU and memory hit from running antivirus or a fully fledged antimalware suite than to rack up your electricity bill by unknowingly making cybercurrency for some internet randomer. ®