“Tor2Mine” Has Returned to Infecting Systems With Cryptominers

Last updated June 23, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

Although the cryptojacking field is in a state of a continual demise when it comes to regular PC users, it is still a threat to IoTs, server farms, and powerful supercomputers. However, some actors are looking to return to the declining field, but with a spin that will render their operations more profitable. “Tor2Mine,” one of the cryptomining actors who were active back in 2018 and then entered a lengthy period of dormancy, has refreshed their malicious infrastructure and tools and is currently making a resurgence. According to a detailed Cisco Talos report, Tor2Mine isn’t limited only to cryptominers anymore, as it is using additional malware tools that can harvest credentials from the compromised systems.

This diversification is indicative of the instability that underpins the cryptocurrency market, and why cryptojacking groups are looking for alternate or additional ways to render their operations efficient. Tor2Mine has always been a profit-driven actor, but the profits from cryptocurrency during this period are all but stable and predictable. Thus, the group is now deploying the “Remcos” RAT (remote access tool), the DarkVNC backdoor Trojan, and also a variant of the AZORult info-stealer. Of course, the XMRigCC payload is still included in the Tor2Mine’s arsenal, but the spotlight is no longer fixed on it.

The Talos researchers also found out that the actor has updated their infrastructure, adding new domains that are often the results of compromises on unrelated entities like an environmental consulting company. However, it is noteworthy that the actors are still using some IPs that were employed back in 2018 and which have already been identified by previous investigations. This shows the actors are either not afraid of having their new infrastructure components associated with their previous activities or aren’t careful enough. Not having the financial resources to ditch everything that they used in the past and replace it with new attack launching points is also a possibility. Here are some of the indicators of compromise as identified and shared by Talos:

Domain

IPs

This is an example that highlights the fact that cryptojacking is still a danger for users, no matter that the volatile cryptocurrency market is creating an environment that is far from ideal for malicious actors. While many ditch this sort of operation due to the aforementioned practical problems, some are looking to broaden the spectrum of their assault. Thus they are getting even more dangerous than before.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: