- The Tor2Mine spreads extremely fast across systems that can’t be eliminated by patching or cleaning one system.
- The miner malware continually attempts to reinfect other systems on the network even if the “command-and-control server for the miner has been blocked or goes offline”.
The crypto space has been subject to a lot of malware attacks and a new Monero-miner crypto-malware is targeting big enterprise networks. Cyber security firm Sophos has recently released the details about the new variant of the Tor2Mine malware.
As per the latest report, the new variant of the Tor2Mine crypto-miner is affecting company networks big time for the mining of privacy coin Monero (XMR). The intrusions by previous variants were limited in scope, however, Sophos notes that the latest variant goes further.
In a detailed explanation, Sophos threat researcher Sean Gallagher said: “All of the miners we’ve seen recently are Monero miners”. The researcher explains that the new variant of Tor2Mine crypto-miner malware exploits the holes in network security.
It specifically targets systems with limited security features, involving some antivirus and anti-malware software. After installing on a server or a computer, the malware hunts for other systems to install its crypto miner for maximum profits. The official blog post from Sophos reads:
Tor2Mine uses a PowerShell script that attempts to disable malware protection, execute a miner payload and harvest Windows credentials. Using those credentials, Tor2Mine can spread itself, and will continue to re-infect other systems on the compromised network if not completely eradicated and malware protection is not present.
The fast spread of Tor2Mine makes it difficult to remove
One of the biggest concerns with Tor2Mine is it difficult to catch says Gallagher. “Once it has established a foothold on a network, it is difficult to root out without the assistance of endpoint protection software and other anti-malware measures,” he added.
Gallagher further added that Tor2Mine spreads laterally from the initial point of compromise. Thus, it can’t be eliminated just by patching or cleaning one system. The miner continually attempts to reinfect other systems on the network. This happens even if the “command-and-control server for the miner has been blocked or goes offline”.
Mining malware applications usually generate far less revenue than other attacks. Thus, they usually tend to spread fast to attack as many systems as possible to make the most profit.
Gallagher says that one must identify some key traits to find out if they are victims of the attack. For e.g. there’s unusually heavy use of the processing power, reduced performance, or higher than usual electricity bills.
Privacy coin Monero (XMR) has been a good target for attackers and cybercriminals. This is because the Monero wallet addresses and transactions are difficult to trace. This is because Monero uses ring signatures and stealth addresses. This completely hides the identities of the sender and the receiver.