1. Home
  2. Software
  3. LoudMiner

LoudMiner

LoudMiner is a cryptocurrency miner which uses virtualization software to siphon system resources. The miner has been bundled with pirated copies of Virtual Studio Technology (VST) for Windows and macOS.[1]

ID: S0451
Type: MALWARE
Platforms: macOS, Windows
Version: 1.4
Created: 18 May 2020
Last Modified: 11 April 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1543 .003 创建或修改系统进程: Windows Service

LoudMiner can automatically launch a Linux virtual machine as a service at startup if the AutoStart option is enabled in the VBoxVmService configuration file.[1]
.004 创建或修改系统进程: Launch Daemon

LoudMiner adds plist files with the naming format com.[random_name].plist in the /Library/LaunchDaemons folder with the RunAtLoad and KeepAlive keys set to true.[1]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

LoudMiner used a batch script to run the Linux virtual machine as a service.[1]
.004 命令与脚本解释器: Unix Shell

LoudMiner used shell scripts to launch various services and to start/stop the QEMU virtualization.[1]

Enterprise T1189 浏览器攻击

LoudMiner is typically bundled with pirated copies of Virtual Studio Technology (VST) for Windows and macOS.[1]
Enterprise T1027 .010 混淆文件或信息: Command Obfuscation

LoudMiner has obfuscated various scripts.[1]

.013 混淆文件或信息: Encrypted/Encoded File

LoudMiner has encrypted DMG files.[1]

Enterprise T1070 .004 移除指标: File Deletion

LoudMiner deleted installation files after completion.[1]
Enterprise T1218 .007 系统二进制代理执行: Msiexec

LoudMiner used an MSI installer to install the virtualization software.[1]

Enterprise T1082 系统信息发现

LoudMiner has monitored CPU usage.[1]

Enterprise T1569 .001 系统服务: Launchctl

LoudMiner launched the QEMU services in the /Library/LaunchDaemons/ folder using launchctl. It also uses launchctl to unload all Launch Daemons when updating to a newer version of LoudMiner.[1]

.002 系统服务: Service Execution

LoudMiner started the cryptomining virtual machine as a service on the infected machine.[1]
Enterprise T1016 系统网络配置发现

LoudMiner used a script to gather the IP address of the infected machine before sending to the C2.[1]
Enterprise T1496 .001 资源劫持: Compute Hijacking

LoudMiner harvested system resources to mine cryptocurrency, using XMRig to mine Monero.[1]

Enterprise T1105 输入工具传输

LoudMiner used SCP to update the miner from the C2.[1]
Enterprise T1057 进程发现

LoudMiner used the ps command to monitor the running processes on the system.[1]

Enterprise T1564 .001 隐藏伪装: Hidden Files and Directories

LoudMiner has set the attributes of the VirtualBox directory and VBoxVmService parent directory to "hidden".[1]
.006 隐藏伪装: Run Virtual Instance

LoudMiner has used QEMU and VirtualBox to run a Tiny Core Linux virtual machine, which runs XMRig and makes connections to the C2 server for updates.[1]

References

  1. Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020.