Resource Hijacking

Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability.

One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.[1] Servers and cloud-based[2] systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.

ID: T1496
Sub-techniques:  No sub-techniques
Tactic: Impact
Platforms: AWS, Azure, GCP, Linux, Windows, macOS
Permissions Required: Administrator, User
Data Sources: AWS CloudTrail logs, Azure activity logs, Network device logs, Network protocol analysis, Process monitoring, Process use of network, Stackdriver logs
Impact Type: Availability
Version: 1.1
Created: 17 April 2019
Last Modified: 14 July 2020

Procedure Examples

Name Description
APT41

APT41 deployed a Monero cryptocurrency mining tool in a victim’s environment.[3]

Blue Mockingbird

Blue Mockingbird has used XMRIG to mine cryptocurrency on victim systems.[4]

Bonadan

Bonadan can download an additional module which has a cryptocurrency mining extension.[5]

CookieMiner

CookieMiner has loaded coinmining software onto systems to mine for Koto cryptocurrency. [6]

Imminent Monitor

Imminent Monitor has the capability to run a cryptocurrency miner on the victim machine.[7]

Lazarus Group

Lazarus Group has subset groups like Bluenoroff who have used cryptocurrency mining software on victim machines.[1]

LoudMiner

LoudMiner harvested system resources to mine cryptocurrency, using XMRig to mine Monero.[8]

Rocke

Rocke has distributed cryptomining malware.[9][10]

Skidmap

Skidmap is a kernel-mode rootkit used for cryptocurrency mining.[11]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Consider monitoring process resource usage to determine anomalous activity associated with malicious hijacking of computer resources such as CPU, memory, and graphics processing resources. Monitor for suspicious use of network resources associated with cryptocurrency mining software. Monitor for common cryptomining software process names and files on local systems that may indicate compromise and resource usage.

References