Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

LoudMiner

LoudMiner is a cryptocurrency miner which uses virtualization software to siphon system resources. The miner has been bundled with pirated copies of Virtual Studio Technology (VST) for Windows and macOS.(Citation: ESET LoudMiner June 2019)
ID: S0451
Type: MALWARE
Platforms: Windows
Version: 1.4
Created: 18 May 2020
Last Modified: 11 Apr 2024

Techniques Used

Domain ID Name Use
Enterprise T1547 .011 Boot or Logon Autostart Execution: Plist Modification

LoudMiner used plists to execute shell scripts and maintain persistence on boot. LoudMiner also added plist files in /Library/LaunchDaemons with KeepAlive set to true, which would restart the process if stopped.(Citation: ESET LoudMiner June 2019)

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

LoudMiner used a batch script to run the Linux virtual machine as a service.(Citation: ESET LoudMiner June 2019)

.004 Command and Scripting Interpreter: Unix Shell

LoudMiner used shell scripts to launch various services and to start/stop the QEMU virtualization.(Citation: ESET LoudMiner June 2019)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

LoudMiner can automatically launch a Linux virtual machine as a service at startup if the AutoStart option is enabled in the VBoxVmService configuration file.(Citation: ESET LoudMiner June 2019)

.004 Create or Modify System Process: Launch Daemon

LoudMiner adds plist files with the naming format com.[random_name].plist in the /Library/LaunchDaemons folder with the RunAtLoad and KeepAlive keys set to true.(Citation: ESET LoudMiner June 2019)

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

LoudMiner has set the attributes of the VirtualBox directory and VBoxVmService parent directory to "hidden".(Citation: ESET LoudMiner June 2019)

.006 Hide Artifacts: Run Virtual Instance

LoudMiner has used QEMU and VirtualBox to run a Tiny Core Linux virtual machine, which runs XMRig and makes connections to the C2 server for updates.(Citation: ESET LoudMiner June 2019)

Enterprise T1070 .004 Indicator Removal: File Deletion

LoudMiner deleted installation files after completion.(Citation: ESET LoudMiner June 2019)

Enterprise T1027 .010 Obfuscated Files or Information: Command Obfuscation

LoudMiner has obfuscated various scripts.(Citation: ESET LoudMiner June 2019)

.013 Obfuscated Files or Information: Encrypted/Encoded File

LoudMiner has encrypted DMG files.(Citation: ESET LoudMiner June 2019)

Enterprise T1496 .001 Resource Hijacking: Compute Hijacking

LoudMiner harvested system resources to mine cryptocurrency, using XMRig to mine Monero.(Citation: ESET LoudMiner June 2019)

Enterprise T1218 .007 System Binary Proxy Execution: Msiexec

LoudMiner used an MSI installer to install the virtualization software.(Citation: ESET LoudMiner June 2019)

Enterprise T1569 .001 System Services: Launchctl

LoudMiner launched the QEMU services in the /Library/LaunchDaemons/ folder using launchctl. It also uses launchctl to unload all Launch Daemons when updating to a newer version of LoudMiner.(Citation: ESET LoudMiner June 2019)

.002 System Services: Service Execution

LoudMiner started the cryptomining virtual machine as a service on the infected machine.(Citation: ESET LoudMiner June 2019)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.