| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.003 |
Windows Command Shell |
LoudMiner used a batch script to run the Linux virtual machine as a service. |
| enterprise |
T1059.004 |
Unix Shell |
LoudMiner used shell scripts to launch various services and to start/stop the QEMU virtualization. |
| enterprise |
T1543 |
Create or Modify System Process |
- |
| enterprise |
T1543.003 |
Windows Service |
LoudMiner can automatically launch a Linux virtual machine as a service at startup if the AutoStart option is enabled in the VBoxVmService configuration file. |
| enterprise |
T1543.004 |
Launch Daemon |
LoudMiner adds plist files with the naming format com.[random_name].plist in the /Library/LaunchDaemons folder with the RunAtLoad and KeepAlive keys set to true. |
| enterprise |
T1189 |
Drive-by Compromise |
LoudMiner is typically bundled with pirated copies of Virtual Studio Technology (VST) for Windows and macOS. |
| enterprise |
T1564 |
Hide Artifacts |
- |
| enterprise |
T1564.001 |
Hidden Files and Directories |
LoudMiner has set the attributes of the VirtualBox directory and VBoxVmService parent directory to “hidden”. |
| enterprise |
T1564.006 |
Run Virtual Instance |
LoudMiner has used QEMU and VirtualBox to run a Tiny Core Linux virtual machine, which runs XMRig and makes connections to the C2 server for updates. |
| enterprise |
T1070 |
Indicator Removal |
- |
| enterprise |
T1070.004 |
File Deletion |
LoudMiner deleted installation files after completion. |
| enterprise |
T1105 |
Ingress Tool Transfer |
LoudMiner used SCP to update the miner from the C2. |
| enterprise |
T1027 |
Obfuscated Files or Information |
LoudMiner has encrypted DMG files. |
| enterprise |
T1027.010 |
Command Obfuscation |
LoudMiner has obfuscated various scripts. |
| enterprise |
T1057 |
Process Discovery |
LoudMiner used the ps command to monitor the running processes on the system. |
| enterprise |
T1496 |
Resource Hijacking |
LoudMiner harvested system resources to mine cryptocurrency, using XMRig to mine Monero. |
| enterprise |
T1218 |
System Binary Proxy Execution |
- |
| enterprise |
T1218.007 |
Msiexec |
LoudMiner used an MSI installer to install the virtualization software. |
| enterprise |
T1082 |
System Information Discovery |
LoudMiner has monitored CPU usage. |
| enterprise |
T1016 |
System Network Configuration Discovery |
LoudMiner used a script to gather the IP address of the infected machine before sending to the C2. |
| enterprise |
T1569 |
System Services |
- |
| enterprise |
T1569.001 |
Launchctl |
LoudMiner launched the QEMU services in the /Library/LaunchDaemons/ folder using launchctl. It also uses launchctl to unload all Launch Daemons when updating to a newer version of LoudMiner. |
| enterprise |
T1569.002 |
Service Execution |
LoudMiner started the cryptomining virtual machine as a service on the infected machine. |