Your organization’s network can be used to mine Monero: report

Updated on: 08 March 2022

Anna Zhadan
Contributor

Cryptocurrency has long been associated with cybercrime, amounting to as much as $11.5 billion in criminal activity. But while certain types of crypto are more transparent, others provide full anonymity, presenting additional opportunities for cybercriminals.

Recently, Sophos released its 2022 Threat Report, predicting that cryptocurrency will be continuously used as a way to power cybercrime. Now, it has identified new variants of the Monero-miner, known as Tor2Mine. While it has been around for at least two years, Tor2Mine has been growing and evolving, with new variants becoming harder to remove and easier to spread.

Tor2Mine uses a miner payload to harvest Windows credentials in order to mine Monero, cybercriminals’ new “cryptocurrency of choice.” It equips a PowerShell script to bypass existing defenses and infiltrate more systems. From there, it acts based on whether it gains administrative credentials, executing installation scripts on more devices.

According to Sophos, miners are a “low-risk way for cybercriminals to turn a vulnerability into digital cash.” By identifying and exploiting a vulnerability, they only risk other threat actors discovering the same entry point and using it either for crypto mining, data theft, or ransomware deployment.

Why do cybercriminals prefer Monero?

Released in 2014, Monero is an “all-privacy” cryptocurrency, meaning that all details of a transaction - from the amount to the parties’ identities - are not visible. It is critically different from the bitcoin blockchain, which allows for more established transparency and regulation in terms of a transaction’s route and origin.

As a result, it becomes the go-to solution for criminals wishing to keep their financial deeds anonymous, with groups such as Revil opting for Monero. According to the 2019 paper, one in 25 Monero coins was associated with illicit mining.

However, Monero is still, thankfully, not widely adopted because it does not offer the same level of liquidity as provided by other cryptocurrencies, such as bitcoin. Countless exchanges exclude Monero from their lists, worried about potential regulations that might come in place. Furthermore, many insurance providers refuse to carry out ransom payments in Monero, presenting additional issues for threat actors.

"Cryptocurrency is only useful if you can buy and sell goods and services or cash out into mainstream money, and that is much more difficult with privacy coins,” Kim Grauer, director of research at cryptocurrency analysis firm Chainalysis, told BBC.

How to establish appropriate defenses?

Sophos suggests that those companies that timely patch their systems are not likely to have to deal with coin miners. First of all, antimalware services are pretty good at detecting scripts used to evade malware defenses. Secondly, coin miners are often after easy targets with straightforward vulnerabilities present and low interest in cybersecurity. Ultimately, the tougher you make it for a threat actor to take advantage of existing gaps in the system, the less likely they are to spend additional time trying.