LoudMiner

LoudMiner is a cryptocurrency miner which uses virtualization software to siphon system resources. The miner has been bundled with pirated copies of Virtual Studio Technology (VST) for Windows and macOS.[1]

ID: S0451
Type: MALWARE
Platforms: macOS, Windows
Version: 1.3
Created: 18 May 2020
Last Modified: 22 March 2023

Techniques Used

Domain ID Name Use
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

LoudMiner used a batch script to run the Linux virtual machine as a service.[1]

.004 Command and Scripting Interpreter: Unix Shell

LoudMiner used shell scripts to launch various services and to start/stop the QEMU virtualization.[1]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

LoudMiner can automatically launch a Linux virtual machine as a service at startup if the AutoStart option is enabled in the VBoxVmService configuration file.[1]

.004 Create or Modify System Process: Launch Daemon

LoudMiner adds plist files with the naming format com.[random_name].plist in the /Library/LaunchDaemons folder with the RunAtLoad and KeepAlive keys set to true.[1]

Enterprise T1189 Drive-by Compromise

LoudMiner is typically bundled with pirated copies of Virtual Studio Technology (VST) for Windows and macOS.[1]

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

LoudMiner has set the attributes of the VirtualBox directory and VBoxVmService parent directory to "hidden".[1]

.006 Hide Artifacts: Run Virtual Instance

LoudMiner has used QEMU and VirtualBox to run a Tiny Core Linux virtual machine, which runs XMRig and makes connections to the C2 server for updates.[1]

Enterprise T1070 .004 Indicator Removal: File Deletion

LoudMiner deleted installation files after completion.[1]

Enterprise T1105 Ingress Tool Transfer

LoudMiner used SCP to update the miner from the C2.[1]

Enterprise T1027 Obfuscated Files or Information

LoudMiner has encrypted DMG files.[1]

.010 Command Obfuscation

LoudMiner has obfuscated various scripts.[1]

Enterprise T1057 Process Discovery

LoudMiner used the ps command to monitor the running processes on the system.[1]

Enterprise T1496 Resource Hijacking

LoudMiner harvested system resources to mine cryptocurrency, using XMRig to mine Monero.[1]

Enterprise T1218 .007 System Binary Proxy Execution: Msiexec

LoudMiner used an MSI installer to install the virtualization software.[1]

Enterprise T1082 System Information Discovery

LoudMiner has monitored CPU usage.[1]

Enterprise T1016 System Network Configuration Discovery

LoudMiner used a script to gather the IP address of the infected machine before sending to the C2.[1]

Enterprise T1569 .001 System Services: Launchctl

LoudMiner launched the QEMU services in the /Library/LaunchDaemons/ folder using launchctl. It also uses launchctl to unload all Launch Daemons when updating to a newer version of LoudMiner.[1]

.002 System Services: Service Execution

LoudMiner started the cryptomining virtual machine as a service on the infected machine.[1]

References