LoudMiner

LoudMiner is a cryptocurrency miner which uses virtualization software to siphon system resources. The miner has been bundled with pirated copies of Virtual Studio Technology (VST) for Windows and macOS.[1]

ID: S0451
Type: MALWARE
Platforms: macOS, Windows
Version: 1.1
Created: 18 May 2020
Last Modified: 01 September 2020

Techniques Used

Domain ID Name Use
Enterprise T1547 .011 Boot or Logon Autostart Execution: Plist Modification

LoudMiner used plists to execute shell scripts and maintain persistence on boot. LoudMiner also added plist files in /Library/LaunchDaemons with KeepAlive set to true, which would restart the process if stopped.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

LoudMiner used a batch script to run the Linux virtual machine as a service.[1]

.004 Command and Scripting Interpreter: Unix Shell

LoudMiner used shell scripts to launch various services and to start/stop the QEMU virtualization.[1]

Enterprise T1543 .004 Create or Modify System Process: Launch Daemon

LoudMiner added plist files in /Library/LaunchDaemons with RunAtLoad set to true.[1]

.003 Create or Modify System Process: Windows Service

LoudMiner can automatically launch a Linux virtual machine as a service at startup if the AutoStart option is enabled in the VBoxVmService configuration file.[1]

Enterprise T1189 Drive-by Compromise

LoudMiner is typically bundled with pirated copies of Virtual Studio Technology (VST) for Windows and macOS.[1]

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

LoudMiner has set the attributes of the VirtualBox directory and VBoxVmService parent directory to "hidden".[1]

.006 Hide Artifacts: Run Virtual Instance

LoudMiner has used QEMU and VirtualBox to run a Tiny Core Linux virtual machine, which runs XMRig and makes connections to the C2 server for updates.[1]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

LoudMiner deleted installation files after completion.[1]

Enterprise T1105 Ingress Tool Transfer

LoudMiner used SCP to update the miner from the C2.[1]

Enterprise T1027 Obfuscated Files or Information

LoudMiner has obfuscated various scripts and encrypted DMG files.[1]

Enterprise T1057 Process Discovery

LoudMiner used the ps command to monitor the running processes on the system.[1]

Enterprise T1496 Resource Hijacking

LoudMiner harvested system resources to mine cryptocurrency, using XMRig to mine Monero.[1]

Enterprise T1218 .007 Signed Binary Proxy Execution: Msiexec

LoudMiner used an MSI installer to install the virtualization software.[1]

Enterprise T1082 System Information Discovery

LoudMiner has monitored CPU usage.[1]

Enterprise T1016 System Network Configuration Discovery

LoudMiner used a script to gather the IP address of the infected machine before sending to the C2.[1]

Enterprise T1569 .002 System Services: Service Execution

LoudMiner started the cryptomining virtual machine as a service on the infected machine.[1]

.001 System Services: Launchctl

LoudMiner launched the QEMU services in the /Library/LaunchDaemons/ folder using launchctl.[1]

References