Resource Hijacking: Compute Hijacking

Adversaries may leverage the compute resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability.

One common purpose for Compute Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.[1] Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Compute Hijacking and cryptocurrency mining.[2] Containerized environments may also be targeted due to the ease of deployment via exposed APIs and the potential for scaling mining activities by deploying or compromising multiple containers within an environment or cluster.[3][4]

Additionally, some cryptocurrency mining malware identify then kill off processes for competing malware to ensure it’s not competing for resources.[5]

ID: T1496.001
Sub-technique of:  T1496
Tactic: Impact
Platforms: Containers, IaaS, Linux, Windows, macOS
Impact Type: Availability
Version: 1.0
Created: 25 September 2024
Last Modified: 13 October 2024

Procedure Examples

ID Name Description
G0096 APT41

APT41 deployed a Monero cryptocurrency mining tool in a victim’s environment.[6][7]

G0108 Blue Mockingbird

Blue Mockingbird has used XMRIG to mine cryptocurrency on victim systems.[8]

S0486 Bonadan

Bonadan can download an additional module which has a cryptocurrency mining extension.[9]

S0492 CookieMiner

CookieMiner has loaded coinmining software onto systems to mine for Koto cryptocurrency. [10]

S1111 DarkGate

DarkGate can deploy follow-on cryptocurrency mining payloads.[11]

S0601 Hildegard

Hildegard has used xmrig to mine cryptocurrency.[3]

S0434 Imminent Monitor

Imminent Monitor has the capability to run a cryptocurrency miner on the victim machine.[12]

S0599 Kinsing

Kinsing has created and run a Bitcoin cryptocurrency miner.[13][14]

S0451 LoudMiner

LoudMiner harvested system resources to mine cryptocurrency, using XMRig to mine Monero.[15]

S0532 Lucifer

Lucifer can use system resources to mine cryptocurrency, dropping XMRig to mine Monero.[16]

G0106 Rocke

Rocke has distributed cryptomining malware.[17][18]

S0468 Skidmap

Skidmap is a kernel-mode rootkit used for cryptocurrency mining.[19]

G0139 TeamTNT

TeamTNT has deployed XMRig Docker images to mine cryptocurrency.[20][21] TeamTNT has also infected Docker containers and Kubernetes clusters with XMRig, and used RainbowMiner and lolMiner for mining cryptocurrency.[22]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments that may indicate common cryptomining functionality.

DS0022 File File Creation

Monitor for common cryptomining files on local systems that may indicate compromise and resource usage.

DS0029 Network Traffic Network Connection Creation

Monitor for newly constructed network connections that are sent or received by untrusted hosts. Look for connections to/from strange ports, as well as reputation of IPs and URLs related to cryptocurrency hosts. In AWS environments, configure GuardDuty to alert when EC2 instances query IP addresses associated with known cryptocurrency activity.[23]

Network Traffic Content

Monitor network traffic content for resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability.

Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

DS0009 Process Process Creation

Monitor for common cryptomining software process names that may indicate compromise and resource usage.

DS0013 Sensor Health Host Status

Consider monitoring process resource usage to determine anomalous activity associated with malicious hijacking of computer resources such as CPU, memory, and graphics processing resources.

References