Home / Linux / Linux Cryptominer Uses Virtual Machines to Attack Windows, macOS

Linux Cryptominer Uses Virtual Machines to Attack Windows, macOS

Linux Cryptominer Uses Virtualization Software to Target Windows, macOS

A new cryptocurrency mining malware dubbed LoudMiner uses virtualization software to deploy a Linux XMRig coinminer variant on Windows and macOS systems via a Tiny Core Linux virtual machine.

The malware comes bundled within cracked copies Windows and macOS VST software such as Propellerhead Reason, Ableton Live, Sylenth1, Nexus, Reaktor, and AutoTune.

LoudMiner is distributed via an attacker-controlled website which currently links to 137 VST-related apps, 42 of them for Windows and 95 for the macOS platform, all of them frequently updated and hosted on 29 servers, as discovered by ESET Research’s detection engineer Michal Malik.

LoudMiner targets victims with powerful systems

The threat actors seemingly target audio production systems known for having high-end hardware and for being under constant load while processing audio content, a good way to conceal a surreptitious Monero cryptomining operation.

While the Tiny Core Linux virtual machine and the coinminer can easily be well over 100 MB in size when uncompressed, the malware’s developers don’t really have a reason to find a way to shrink them given that VST hosts are known to be quite large.

This makes it possible to hide the malware “in plain sight,” with the victims deploying LoudMiner on their own systems by installing the pirated VST host software that comes “bundled with virtualization software, a Linux image and additional files used to achieve persistence.”

VirtualBox driver trust popup
VirtualBox driver trust popup while installing cracked VST apps

During the installation process, LoudMiner is the first to be dropped on the now compromised computer together with various scripts and the virtualization software needed to run the Linux coinminer VM — QEMU for macOS and VirtulBox for Windows — with the VST software being installed afterward.

“While analyzing the different applications, we’ve identified four versions of the miner, mostly based on how it’s bundled with the actual software, the C&C server domain, and something we believe is a version string created by the author,” says Malik.

Infecting Windows and macOS computers

On macOS, LoudMiner will add “plist files in /Library/LaunchDaemons with RunAtLoad set to true” for persistence, with the KeepAlive option also set to true, ensuring the malicious process will be restarted if stopped.

These plists will automatically launch a number of shell scripts designed to launch the virtual machines on boot and load two instances of the coinminer infested images.

On Windows machines, the malware uses a batch script to launch the coinminer’s Linux image as a service to make sure that it will be relaunched after restarts. 

“The Linux image is Tiny Core Linux 9.0 configured to run XMRig, as well as some files and scripts to keep the miner updated continuously,” as explained by Malik, with the updates being performed via three scripts which communicate with LoudMiner’s command-and-control (C2) server via SCP (Secure File Copy).

VM launched as a service on Windows
VM launched as a service on Windows

On infected Macs, the malware also uses a “CPU monitor shell script with an accompanying daemon that can start/stop the mining based on CPU usage and whether the Activity Monitor process is running,” according to Malik.

“The CPU monitor script can start and stop the mining by loading and unloading the daemon. If the Activity Monitor process is running, the mining stops.”

More details on the four LoudMiner variants discovered, a full list of Indicators of Compromise (IoCs), as well as more info on the used MITRE ATT&CK techniques can be found within ESET Research’s in-depth malware analysis.

Hardware config for the Linux VM
Hardware config for the Linux VM

While LoudMiner’s usage of virtualization for targeting multiple platforms is quite exotic, it’s definitely not a new idea, with researchers presenting a malware strain using VMs as part of its infection process in a paper from 2006.

The paper in questions is “SubVirt: implementing malware with virtual machines” paper published by researchers from Microsoft Research and the University of Michigan and it is available here, in PDF format.

The research showcases a virtual-machine-based rootkit (VMBR) that “installs a virtual-machine monitor underneath an existing operating system and hoists the original operating system into a virtual machine.”

>> Source Link


Check Also

Deal: Get a Samsung Galaxy S10e for just $399.99

If you weren’t the lucky winner of our Samsung Galaxy S10e giveaway yesterday, we can …