Resource Hijacking

Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability.

One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.[1] Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.

ID: T1496

Tactic: Impact

Platform:  Linux, macOS, Windows

Permissions Required:  User, Administrator

Data Sources:  Process use of network, Process monitoring, Network protocol analysis, Network device logs

Impact Type:  Availability

Version: 1.0

Examples

NameDescription
Lazarus Group

Lazarus Group has subset groups like Bluenoroff who have used cryptocurrency mining software on victim machines.[1]

Mitigation

Identify potentially malicious software and audit and/or block it by using whitelisting[2] tools, like AppLocker,[3][4] or Software Restriction Policies[5] where appropriate.[6]

Detection

Consider monitoring process resource usage to determine anomalous activity associated with malicious hijacking of computer resources such as CPU, memory, and graphics processing resources. Monitor for suspicious use of network resources associated with cryptocurrency mining software. Monitor for common cryptomining software process names and files on local systems that may indicate compromise and resource usage.

References