Various cryptocurrencies have been launched in recent years with the aim to enhance privacy and anonymity, although their success has been varied. One such cryptocurrency is Monero, which has achieved a high level of popularity and acceptance for its privacy-oriented features.
Launched in 2014, Monero (XMR) is an open-source, privacy-oriented cryptocurrency that is built and operates on the blockchain concept.
Hackers have indulged in mining this cryptocurrency by spreading Trojans and other means. After 2018, Tor2Mine, a cryptocurrency mining threat actor made a comeback with an aim to control Monero mining activities.
While targeting countries like Turkey, Spain, Russia, and Egypt, Tor2Mine has been reducing users to mine “black labor”. By controlling a large number of devices and attaining viral transmission via lateral penetration, the Tor2Mine program has grown dramatically since March this year. The mother program of the Tor2Mine site is hidden and contains the Trojan in download sites. While spreading horizontally and by creating scheduled tasks, the mining Trojan quickly infects and occupies the users’ computer.
How does it operate?
- Once the victim’s computer is hacked, the mining Trojan runs a PowerShell code and the XMRigCC mining program loader. Whether the current process authority belongs to the administrator’s group, is determined by this operation. It then decides whether the security program should be closed along with the mining-related services.
- The Trojan loader includes the execution path of the mining program and closes the security software processes if a user has the administrator group permission.
- Cloaking its actions, these operations set PowerShell preferences to avoid warnings and continue to execute in silence.
- The Trojan detects and cleans up the existing mining program and services and then replaces the original java.exe/javaw.exe as the main mining program after downloading it.
- The loader then creates several scheduled tasks and services to run the mining program and to interact with the dark web server through the tor2web service.
- In order to steal user credentials for horizontal penetration, Tor2Mine also leverages the password collecting artifact and MimiKatz.
Safer Mining of the Bitcoin.
Identify fraudulent websites and block phishing links by embracing a robust security program that effectively intercepts crypto-mining campaigns. While organizations need to implement better controls on the access rights of workstations or related servers to stop an infection’s horizontal spread.
To read more, please check eScan Blog