Tag Archive for: evolved

Tor2Mine cryptominer has evolved: Just patching and cleaning the system won’t help

/in


Sophos released new findings on the Tor2Mine cryptominer, that show how the miner evades detection, spreads automatically through a target network and is increasingly harder to remove from an infected system. Tor2Mine is a Monero-miner that has been active for at least two years.

Tor2Mine cryptominer

In the research, Sophos describes new variants of the miner that include a PowerShell script that attempts to disable malware protection, execute the miner payload and steal Windows administrator credentials. What happens next depends on whether the attackers successfully gain administrative privileges with the stolen credentials. This process is the same for all the variants analyzed.

For example, if the attackers manage to get hold of administrative credentials, they can secure the privileged access they need to install the mining files. They can also search the network for other machines that they can install the mining files on. This enables Tor2Mine to spread further and embed itself on computers across the network.

Tor2Mine cryptominer can execute the miner remotely and filelessly

If the attackers cannot gain administrative privileges, Tor2Mine can still execute the miner remotely and filelessly by using commands that are run as scheduled tasks. In this instance, the mining software is stored remotely rather than on a compromised machine.

The variants all attempt to shut down anti-malware protection and install the same miner code. Similarly, in all cases, the miner will continue to re-infect systems on the network unless it encounters malware protection or is completely eradicated from the network.

“The presence of miners, like Tor2Mine, in a network is almost always a harbinger of other, potentially more dangerous intrusions. However, Tor2Mine is much more aggressive than other miners,” said Sean Gallagher, senior threat researcher at Sophos.

“Once it has established a foothold on a network, it is difficult to root out without the assistance of endpoint protection software and other anti-malware measures. Because it spreads laterally away from the initial point of compromise, it can’t be eliminated just by patching and cleaning one system. The miner will continually attempt…

Source…

Matrix has slowly evolved into a ‘Swiss Army knife’ of the ransomware world – ZDNet

/in

Matrix has slowly evolved into a ‘Swiss Army knife’ of the ransomware world  ZDNet

The Matrix ransomware is usually deployed after cyber-criminals use unsecured RDP endpoints to compromise companies’ internal networks.

“exploit kit” – read more

Robocallers “evolved” to sidestep new call blocking rules, AGs tell FCC

/in
Three robots sitting in front of computers and wearing phone headsets.

Enlarge (credit: Getty Images | vladru)

The Federal Communications Commission should let phone companies get more aggressive in blocking robocalls, 35 state attorneys general told the commission yesterday.

The FCC last year authorized voice service providers to block more types of calls in which the Caller ID has been spoofed or in which the number on the Caller ID is invalid. But the FCC did not go far enough, and robocallers have “evolved” to evade the new rules, the 35 attorneys general wrote in an FCC filing:

One specific method which has evolved recently is a form of illegal spoofing called “neighbor spoofing.” A neighbor-spoofed call will commonly appear on a consumer’s caller ID with the same area code and local exchange as the consumer to increase the likelihood he/she will answer the call. In addition, consumers have recently reported receiving calls where their own phone numbers appeared on their caller ID. A consumer who answered one such call reported the caller attempted to trick her by saying he was with the phone company and required personal information to verify the account, claiming it had been hacked.

The attorneys general said they “encourage the FCC to adopt rules authorizing providers to block these and other kinds of illegally spoofed calls.”

Read 14 remaining paragraphs | Comments

Biz & IT – Ars Technica