Tor2Mine cryptominer has evolved: Just patching and cleaning the system won’t help

2021-12-03 06:00

Sophos released new findings on the Tor2Mine cryptominer, that show how the miner evades detection, spreads automatically through a target network and is increasingly harder to remove from an infected system.

In the research, Sophos describes new variants of the miner that include a PowerShell script that attempts to disable malware protection, execute the miner payload and steal Windows administrator credentials.

Tor2Mine cryptominer can execute the miner remotely and filelessly.

If the attackers cannot gain administrative privileges, Tor2Mine can still execute the miner remotely and filelessly by using commands that are run as scheduled tasks.

"The presence of miners, like Tor2Mine, in a network is almost always a harbinger of other, potentially more dangerous intrusions. However, Tor2Mine is much more aggressive than other miners," said Sean Gallagher, senior threat researcher at Sophos.

"Once it has established a foothold on a network, it is difficult to root out without the assistance of endpoint protection software and other anti-malware measures. Because it spreads laterally away from the initial point of compromise, it can't be eliminated just by patching and cleaning one system. The miner will continually attempt to re-infect other systems on the network, even after the command-and-control server for the miner has been blocked or goes offline."

News URL

https://www.helpnetsecurity.com/2021/12/03/tor2mine-cryptominer/

#cryptominer