I found and reverse engineered a variant of this on Z series miners last year. The use of Tor was unexpected... those who ran the virus had SSH servers running on tor with the authentication keys in the malware. .... I was able to fix that for them. :-)