New Variants of Tor2Mine Cryptominer Feature Enhanced Evasion, Persistence and Spreading Powers, Sophos Reports

New Variants of Tor2Mine Cryptominer Feature Enhanced Evasion, Persistence and Spreading Powers, Sophos Reports

Dubai, UAE, December 12, 2021: Sophos, a global leader in next-generation cybersecurity, today released new findings on the Tor2Mine cryptominer, “Two flavours of Tor2Mine miner dig deep into networks with PowerShell, VBScript”, that show how the miner evades detection, spreads automatically through a target network and is increasingly harder to remove from an infected system. Tor2Mine is a Monero-miner that has been active for at least two years.

In the research, Sophos describes new variants of the miner that include a PowerShell script that attempts to disable malware protection, execute the miner payload and steal Windows administrator credentials. What happens next depends on whether the attackers successfully gain administrative privileges with the stolen credentials. This process is the same for all the variants analysed.

For example, if the attackers manage to get hold of administrative credentials, they can secure the privileged access they need to install the mining files. They can also search the network for other machines that they can install the mining files on. This enables Tor2Mine to spread further and embed itself on computers across the network.

If the attackers cannot gain