S0451 LoudMiner
LoudMiner is a cryptocurrency miner which uses virtualization software to siphon system resources. The miner has been bundled with pirated copies of Virtual Studio Technology (VST) for Windows and macOS.1
| Item | Value |
|---|---|
| ID | S0451 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.4 |
| Created | 18 May 2020 |
| Last Modified | 11 April 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | LoudMiner used a batch script to run the Linux virtual machine as a service.1 |
| enterprise | T1059.004 | Unix Shell | LoudMiner used shell scripts to launch various services and to start/stop the QEMU virtualization.1 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | LoudMiner can automatically launch a Linux virtual machine as a service at startup if the AutoStart option is enabled in the VBoxVmService configuration file.1 |
| enterprise | T1543.004 | Launch Daemon | LoudMiner adds plist files with the naming format com.[random_name].plist in the /Library/LaunchDaemons folder with the RunAtLoad and KeepAlive keys set to true.1 |
| enterprise | T1189 | Drive-by Compromise | LoudMiner is typically bundled with pirated copies of Virtual Studio Technology (VST) for Windows and macOS.1 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.001 | Hidden Files and Directories | LoudMiner has set the attributes of the VirtualBox directory and VBoxVmService parent directory to “hidden”.1 |
| enterprise | T1564.006 | Run Virtual Instance | LoudMiner has used QEMU and VirtualBox to run a Tiny Core Linux virtual machine, which runs XMRig and makes connections to the C2 server for updates.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | LoudMiner deleted installation files after completion.1 |
| enterprise | T1105 | Ingress Tool Transfer | LoudMiner used SCP to update the miner from the C2.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.010 | Command Obfuscation | LoudMiner has obfuscated various scripts.1 |
| enterprise | T1027.013 | Encrypted/Encoded File | LoudMiner has encrypted DMG files.1 |
| enterprise | T1057 | Process Discovery | LoudMiner used the ps command to monitor the running processes on the system.1 |
| enterprise | T1496 | Resource Hijacking | - |
| enterprise | T1496.001 | Compute Hijacking | LoudMiner harvested system resources to mine cryptocurrency, using XMRig to mine Monero.1 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.007 | Msiexec | LoudMiner used an MSI installer to install the virtualization software.1 |
| enterprise | T1082 | System Information Discovery | LoudMiner has monitored CPU usage.1 |
| enterprise | T1016 | System Network Configuration Discovery | LoudMiner used a script to gather the IP address of the infected machine before sending to the C2.1 |
| enterprise | T1569 | System Services | - |
| enterprise | T1569.001 | Launchctl | LoudMiner launched the QEMU services in the /Library/LaunchDaemons/ folder using launchctl. It also uses launchctl to unload all Launch Daemons when updating to a newer version of LoudMiner.1 |
| enterprise | T1569.002 | Service Execution | LoudMiner started the cryptomining virtual machine as a service on the infected machine.1 |