LoudMiner
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1547 | .011 | Boot or Logon Autostart Execution: Plist Modification |
LoudMiner used plists to execute shell scripts and maintain persistence on boot. LoudMiner also added plist files in |
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
LoudMiner used a batch script to run the Linux virtual machine as a service.(Citation: ESET LoudMiner June 2019) |
.004 | Command and Scripting Interpreter: Unix Shell |
LoudMiner used shell scripts to launch various services and to start/stop the QEMU virtualization.(Citation: ESET LoudMiner June 2019) |
||
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
LoudMiner can automatically launch a Linux virtual machine as a service at startup if the AutoStart option is enabled in the VBoxVmService configuration file.(Citation: ESET LoudMiner June 2019) |
.004 | Create or Modify System Process: Launch Daemon |
LoudMiner adds plist files with the naming format |
||
Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
LoudMiner has set the attributes of the VirtualBox directory and VBoxVmService parent directory to "hidden".(Citation: ESET LoudMiner June 2019) |
.006 | Hide Artifacts: Run Virtual Instance |
LoudMiner has used QEMU and VirtualBox to run a Tiny Core Linux virtual machine, which runs XMRig and makes connections to the C2 server for updates.(Citation: ESET LoudMiner June 2019) |
||
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
LoudMiner deleted installation files after completion.(Citation: ESET LoudMiner June 2019) |
Enterprise | T1027 | .010 | Obfuscated Files or Information: Command Obfuscation |
LoudMiner has obfuscated various scripts.(Citation: ESET LoudMiner June 2019) |
.013 | Obfuscated Files or Information: Encrypted/Encoded File |
LoudMiner has encrypted DMG files.(Citation: ESET LoudMiner June 2019) |
||
Enterprise | T1496 | .001 | Resource Hijacking: Compute Hijacking |
LoudMiner harvested system resources to mine cryptocurrency, using XMRig to mine Monero.(Citation: ESET LoudMiner June 2019) |
Enterprise | T1218 | .007 | System Binary Proxy Execution: Msiexec |
LoudMiner used an MSI installer to install the virtualization software.(Citation: ESET LoudMiner June 2019) |
Enterprise | T1569 | .001 | System Services: Launchctl |
LoudMiner launched the QEMU services in the |
.002 | System Services: Service Execution |
LoudMiner started the cryptomining virtual machine as a service on the infected machine.(Citation: ESET LoudMiner June 2019) |
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.