Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент LoudMiner
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
LoudMiner
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

LoudMiner

LoudMiner is a cryptocurrency miner which uses virtualization software to siphon system resources. The miner has been bundled with pirated copies of Virtual Studio Technology (VST) for Windows and macOS.(Citation: ESET LoudMiner June 2019)
ID: S0451
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 18 May 2020
Last Modified: 12 Oct 2021

Techniques Used
Domain ID Name Use
Enterprise T1547 .011 Boot or Logon Autostart Execution: Plist Modification

LoudMiner used plists to execute shell scripts and maintain persistence on boot. LoudMiner also added plist files in /Library/LaunchDaemons with KeepAlive set to true, which would restart the process if stopped.(Citation: ESET LoudMiner June 2019)
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

LoudMiner used a batch script to run the Linux virtual machine as a service.(Citation: ESET LoudMiner June 2019)
.004 Command and Scripting Interpreter: Unix Shell

LoudMiner used shell scripts to launch various services and to start/stop the QEMU virtualization.(Citation: ESET LoudMiner June 2019)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

LoudMiner can automatically launch a Linux virtual machine as a service at startup if the AutoStart option is enabled in the VBoxVmService configuration file.(Citation: ESET LoudMiner June 2019)
.004 Create or Modify System Process: Launch Daemon

LoudMiner adds plist files with the naming format com.[random_name].plist in the /Library/LaunchDaemons folder with the RunAtLoad and KeepAlive keys set to true.(Citation: ESET LoudMiner June 2019)

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

LoudMiner has set the attributes of the VirtualBox directory and VBoxVmService parent directory to "hidden".(Citation: ESET LoudMiner June 2019)
.006 Hide Artifacts: Run Virtual Instance

LoudMiner has used QEMU and VirtualBox to run a Tiny Core Linux virtual machine, which runs XMRig and makes connections to the C2 server for updates.(Citation: ESET LoudMiner June 2019)

Enterprise T1070 .004 Indicator Removal: File Deletion

LoudMiner deleted installation files after completion.(Citation: ESET LoudMiner June 2019)
Enterprise T1218 .007 System Binary Proxy Execution: Msiexec

LoudMiner used an MSI installer to install the virtualization software.(Citation: ESET LoudMiner June 2019)

Enterprise T1569 .001 System Services: Launchctl

LoudMiner launched the QEMU services in the /Library/LaunchDaemons/ folder using launchctl. It also uses launchctl to unload all Launch Daemons when updating to a newer version of LoudMiner.(Citation: ESET LoudMiner June 2019)

.002 System Services: Service Execution

LoudMiner started the cryptomining virtual machine as a service on the infected machine.(Citation: ESET LoudMiner June 2019)

References

  1. Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.