It can even be stored and run remotely on compromised machines.

Tor2Mine is a Monero cryptominer that has been active for at least two years. New variants of the miner include a PowerShell script that attempts to disable malware protection, execute the miner payload and steal Windows administrator credentials.

What happens next depends on whether the attackers successfully gain administrative privileges with the stolen credentials. This process is the same for all the variants, and they all attempt to shut down anti-malware protection and install the same miner code.

Similarly, in all cases, the miner will continue to re-infect systems on the network unless it encounters malware protection or is completely eradicated from the network.

These revelations about Tor2Mine were released recently by Sophos researchers due to its evasiveness and tenacity. According to one of the firm’s senior threat researchers, Sean Gallagher, the presence of miners like Tor2Mine in a network is almost always a harbinger of other, potentially more dangerous intrusions. “However, Tor2Mine is much more aggressive than other miners. Once it has established a foothold on a network, it is difficult to root out without the assistance of endpoint protection software and other anti-malware measures. Because it spreads laterally away from the initial point of compromise, it can’t be eliminated just by patching and cleaning one system. As cryptocurrencies continue to increase in value and support the ever-growing ransomware and cyber extortion landscape, we may well see more, and more aggressive, variants of other cryptominers emerge,” he said.

A hard nut to crack

Sophos researchers also discovered scripts designed to kill off a variety of processes and tasks. Almost all of them are related to crimeware, including competing cryptominers and clipper malware that steals cryptocurrency wallet addresses.

For example, if the attackers manage to get hold of administrative credentials, they can secure the privileged access they need to install the mining files. They can also search the network for other machines that they can install the mining files on. This enables Tor2Mine to spread further and embed itself on computers across the network.

If the attackers cannot gain administrative privileges, Tor2Mine can still execute the miner remotely and file-lessly by using commands that are run as scheduled tasks. In this instance, the mining software is stored remotely rather than on a compromised machine.