“Once it has established a foothold on a network, it is difficult to root out without the assistance of endpoint protection software and other anti-malware measures. However, Tor2Mine is much more aggressive than other miners,” warns Sophos senior threat researcher Sean Gallagher. “The presence of miners, like Tor2Mine, in a network is almost always a harbinger of other, potentially more dangerous intrusions. Similarly, in all cases, the miner will continue to re-infect systems on the network unless it encounters malware protection or is completely eradicated from the network.
Apex sql monitor install#
The variants all attempt to shut down anti-malware protection and install the same miner code. In this instance, the mining software is stored remotely rather than on a compromised machine.
If the attackers cannot gain administrative privileges, Tor2Mine can still execute the miner remotely and filelessly by using commands that are run as scheduled tasks. This enables Tor2Mine to spread further and embed itself on computers across the network. They can also search the network for other machines that they can install the mining files on. This process is the same for all the variants analysed.įor example, if the attackers manage to get hold of administrative credentials, they can secure the privileged access they need to install the mining files.
What happens next depends on whether the attackers successfully gain administrative privileges with the stolen credentials. Sophos describes new variants of the miner that include a PowerShell script that attempts to disable malware protection, execute the miner payload, and steal Windows administrator credentials. Sophos says Tor2Mine is a Monero-miner that has been active for at least two years.