Skip to content

T1496 Resource Hijacking

Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems, which may impact system and/or hosted service availability.

One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.3 Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.2 Containerized environments may also be targeted due to the ease of deployment via exposed APIs and the potential for scaling mining activities by deploying or compromising multiple containers within an environment or cluster.14

Additionally, some cryptocurrency mining malware identify then kill off processes for competing malware to ensure it’s not competing for resources.5

Adversaries may also use malware that leverages a system’s network bandwidth as part of a botnet in order to facilitate Network Denial of Service campaigns and/or to seed malicious torrents.6

Item Value
ID T1496
Sub-techniques
Tactics TA0040
Platforms Containers, IaaS, Linux, Windows, macOS
Version 1.3
Created 17 April 2019
Last Modified 18 April 2022

Procedure Examples

ID Name Description
G0096 APT41 APT41 deployed a Monero cryptocurrency mining tool in a victim’s environment.20
G0108 Blue Mockingbird Blue Mockingbird has used XMRIG to mine cryptocurrency on victim systems.21
S0486 Bonadan Bonadan can download an additional module which has a cryptocurrency mining extension.11
S0492 CookieMiner CookieMiner has loaded coinmining software onto systems to mine for Koto cryptocurrency. 13
S0601 Hildegard Hildegard has used xmrig to mine cryptocurrency.1
S0434 Imminent Monitor Imminent Monitor has the capability to run a cryptocurrency miner on the victim machine.7
S0599 Kinsing Kinsing has created and run a Bitcoin cryptocurrency miner.89
S0451 LoudMiner LoudMiner harvested system resources to mine cryptocurrency, using XMRig to mine Monero.10
S0532 Lucifer Lucifer can use system resources to mine cryptocurrency, dropping XMRig to mine Monero.12
G0106 Rocke Rocke has distributed cryptomining malware.1516
S0468 Skidmap Skidmap is a kernel-mode rootkit used for cryptocurrency mining.14
G0139 TeamTNT TeamTNT has deployed XMRig Docker images to mine cryptocurrency.1917 TeamTNT has also infected Docker containers and Kubernetes clusters with XMRig, and used RainbowMiner and lolMiner for mining cryptocurrency.18

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Creation
DS0029 Network Traffic Network Connection Creation
DS0009 Process Process Creation
DS0013 Sensor Health Host Status

References

  1. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021. 

  2. CloudSploit. (2019, June 8). The Danger of Unused AWS Regions. Retrieved October 8, 2019. 

  3. GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April 17, 2019. 

  4. Oliveira, A. (2019, May 30). Infected Containers Target Docker via Exposed APIs. Retrieved April 6, 2021. 

  5. Oliveira, A., Fiser, D. (2020, September 10). War of Linux Cryptocurrency Miners: A Battle for Resources. Retrieved April 6, 2021. 

  6. Zuzana Hromcová. (2019, July 8). Malicious campaign targets South Korean users with backdoor‑laced torrents. Retrieved March 31, 2022. 

  7. Unit 42. (2019, December 2). Imminent Monitor – a RAT Down Under. Retrieved May 5, 2020. 

  8. Singer, G. (2020, April 3). Threat Alert: Kinsing Malware Attacks Targeting Container Environments. Retrieved April 1, 2021. 

  9. Huang, K. (2020, November 23). Zoom into Kinsing. Retrieved April 1, 2021. 

  10. Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020. 

  11. Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020. 

  12. Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020. 

  13. Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020. 

  14. Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020. 

  15. Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020. 

  16. Xingyu, J.. (2019, January 17). Malware Used by Rocke Group Evolves to Evade Detection by Cloud Security Products. Retrieved May 26, 2020. 

  17. Cado Security. (2020, August 16). Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials. Retrieved September 22, 2021. 

  18. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022. 

  19. Stroud, J. (2021, May 25). Taking TeamTNT’s Docker Images Offline. Retrieved September 22, 2021. 

  20. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. 

  21. Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.