“All of the miners we’ve seen recently are Monero miners,” Sophos threat researcher Sean Gallagher, who authored the report, told Decrypt in a phone interview.
According to Gallagher, the malware looks for holes in a network’s security, generally in the form of systems that have not had their security features—including antivirus and anti-malware software—updated or patched. Once installed on a server or computer, the malware will look for other systems to install its crypto-miner for maximum profit.
Two flavors of Tor2Mine miner dig deep into networks with PowerShell, VBScript
Using remote scripts and code, one variant can even execute filelessly until it gains administrative credentials…
— SophosLabs (@SophosLabs) December 2, 2021
Hacks remain a real concern for DAOs and DeFi projects, which are vulnerable to more than just smart contract exploits. Yesterday, Decrypt reported BadgerDAO was hacked for $120 million in a front-end exploit, according to the cybersecurity firm PeckShield.
“Once it has established a foothold on a network, it is difficult to root out without the assistance of endpoint protection software and other anti-malware measures,” Gallagher said in a press release. “Because it spreads laterally away from the initial point of compromise, it can’t be eliminated just by patching and cleaning one system. The miner will continually attempt to re-infect other systems on the network, even after the command-and-control server for the miner has been blocked or goes offline.”
In other words, Tor2Mine quickly spreads to every other system on a network, installing the crypto-miner where it can—and it’s not easy to remove.
Because they generate less revenue than other attacks, like ransomware, mining malware applications need to infect as many systems as possible to make the attack worth the trouble.
Gallagher tells Decrypt, a sign that a system is infected is unusually heavy use of processing power, reduced performance, and higher-than-usual electricity bills. Kind of like you’re mining crypto.
Monero, which means “coin” in Esperanto, has become a favorite of cybercriminals due to its many privacy features that make tracing much harder than Bitcoin and Ethereum. Monero wallet addresses and transactions are difficult to trace because of the use of ring signatures and stealth addresses, which hide the identities of both the sender and the receiver.
Sophos recommends patching vulnerabilities in internet-facing systems like web applications, VPN services, and email servers and installing anti-malware products to make them much less likely to fall victim.
While Sophos makes its own products, Gallagher just urged some type of protection. “Any anti-virus is better than no anti-virus,” he said.