LoudMiner

LoudMiner is a cryptocurrency miner which uses virtualization software to siphon system resources. The miner has been bundled with pirated copies of Virtual Studio Technology (VST) for Windows and macOS.[1]

ID: S0451
Type: MALWARE
Platforms: macOS, Windows
Version: 1.0
Created: 18 May 2020
Last Modified: 29 June 2020

Techniques Used

Domain ID Name Use
Enterprise T1547 Boot or Logon Autostart Execution

LoudMiner can automatically launch at startup if the AutoStart option is enabled in the VBoxVmService configuration file.[1]

.011 Plist Modification

LoudMiner used plists to execute shell scripts and maintain persistence on boot. LoudMiner also added plist files in /Library/LaunchDaemons with KeepAlive set to true, which would restart the process if stopped.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

LoudMiner used a batch script to run the Linux virtual machine as a service.[1]

.004 Command and Scripting Interpreter: Unix Shell

LoudMiner used shell scripts to launch various services and to start/stop the QEMU virtualization.[1]

Enterprise T1543 .004 Create or Modify System Process: Launch Daemon

LoudMiner added plist files in /Library/LaunchDaemons with RunAtLoad set to true.[1]

.003 Create or Modify System Process: Windows Service

LoudMiner has used VboxVmService to run a Linux virtual machine as a service for persistence.[1]

Enterprise T1189 Drive-by Compromise

LoudMiner is typically bundled with pirated copies of Virtual Studio Technology (VST) for Windows and macOS.[1]

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

LoudMiner has set the attributes of the VirtualBox directory and VBoxVmService parent directory to "hidden".[1]

.006 Hide Artifacts: Run Virtual Instance

LoudMiner has used QEMU and VirtualBox to run a Tiny Core Linux virtual machine, which runs XMRig and makes connections to the C2 server for updates.[1]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

LoudMiner deleted installation files after completion.[1]

Enterprise T1105 Ingress Tool Transfer

LoudMiner used SCP to update the miner from the C2.[1]

Enterprise T1027 Obfuscated Files or Information

LoudMiner has obfuscated various scripts and encrypted DMG files.[1]

Enterprise T1057 Process Discovery

LoudMiner used the ps command to monitor the running processes on the system.[1]

Enterprise T1496 Resource Hijacking

LoudMiner harvested system resources to mine cryptocurrency, using XMRig to mine Monero.[1]

Enterprise T1218 .007 Signed Binary Proxy Execution: Msiexec

LoudMiner used an MSI installer to install the virtualization software.[1]

Enterprise T1082 System Information Discovery

LoudMiner has monitored CPU usage.[1]

Enterprise T1016 System Network Configuration Discovery

LoudMiner used a script to gather the IP address of the infected machine before sending to the C2.[1]

Enterprise T1569 .002 System Services: Service Execution

LoudMiner started the cryptomining virtual machine as a service on the infected machine.[1]

.001 System Services: Launchctl

LoudMiner launched the QEMU services in the /Library/LaunchDaemons/ folder using launchctl.[1]

References