Skip to content

S0451 LoudMiner

LoudMiner is a cryptocurrency miner which uses virtualization software to siphon system resources. The miner has been bundled with pirated copies of Virtual Studio Technology (VST) for Windows and macOS.1

Item Value
ID S0451
Associated Names
Version 1.3
Created 18 May 2020
Last Modified 22 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell LoudMiner used a batch script to run the Linux virtual machine as a service.1
enterprise T1059.004 Unix Shell LoudMiner used shell scripts to launch various services and to start/stop the QEMU virtualization.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service LoudMiner can automatically launch a Linux virtual machine as a service at startup if the AutoStart option is enabled in the VBoxVmService configuration file.1
enterprise T1543.004 Launch Daemon LoudMiner adds plist files with the naming format com.[random_name].plist in the /Library/LaunchDaemons folder with the RunAtLoad and KeepAlive keys set to true.1
enterprise T1189 Drive-by Compromise LoudMiner is typically bundled with pirated copies of Virtual Studio Technology (VST) for Windows and macOS.1
enterprise T1564 Hide Artifacts -
enterprise T1564.001 Hidden Files and Directories LoudMiner has set the attributes of the VirtualBox directory and VBoxVmService parent directory to “hidden”.1
enterprise T1564.006 Run Virtual Instance LoudMiner has used QEMU and VirtualBox to run a Tiny Core Linux virtual machine, which runs XMRig and makes connections to the C2 server for updates.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion LoudMiner deleted installation files after completion.1
enterprise T1105 Ingress Tool Transfer LoudMiner used SCP to update the miner from the C2.1
enterprise T1027 Obfuscated Files or Information LoudMiner has encrypted DMG files.1
enterprise T1027.010 Command Obfuscation LoudMiner has obfuscated various scripts.1
enterprise T1057 Process Discovery LoudMiner used the ps command to monitor the running processes on the system.1
enterprise T1496 Resource Hijacking LoudMiner harvested system resources to mine cryptocurrency, using XMRig to mine Monero.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.007 Msiexec LoudMiner used an MSI installer to install the virtualization software.1
enterprise T1082 System Information Discovery LoudMiner has monitored CPU usage.1
enterprise T1016 System Network Configuration Discovery LoudMiner used a script to gather the IP address of the infected machine before sending to the C2.1
enterprise T1569 System Services -
enterprise T1569.001 Launchctl LoudMiner launched the QEMU services in the /Library/LaunchDaemons/ folder using launchctl. It also uses launchctl to unload all Launch Daemons when updating to a newer version of LoudMiner.1
enterprise T1569.002 Service Execution LoudMiner started the cryptomining virtual machine as a service on the infected machine.1