Researchers Uncover Threat of ‘Unusual’ Virtual Machine Crypto Mining

Published at: June 24, 2019

Cybersecurity firm ESET has detected what it describes as an unusual and persistent cryocurrency miner distributed for macOS and Windows since August 2018. The news was revealed in a report from ESET Research published on June 20.

According to ESET, the new malware, dubbed “LoudMiner,” uses virtualization software — VirtualBox on Windows and QEMU on macOS — to mine crypto on a Tiny Core Linux virtual machine, thus having the potential to infect computers across multiple operating systems.

The miner itself reportedly uses XMRig — an open-source software used for mining privacy-focused altcoin monero (XMR) — and a mining pool, thereby purportedly thwarting researchers’ attempts to retrace transactions.

The research revealed that for both macOS and windows, the miner operates within pirated applications, which are bundled together with virtualization software, a Linux image and additional files.

Upon download, LoudMiner is installed before the desired software itself, but conceals itself and only becomes persistent after reboot.

ESET notes that the miner targets applications whose purposes are related to audio production, which usually run on computers with robust processing power and where high CPU consumption — in this case caused by stealth crypto mining — might not strike users as suspicious.

Moreover, the attackers purportedly exploit the fact that such complex applications are usually complex and large in order to conceal their virtual machine images. The researchers add:

“The decision to use virtual machines instead of a leaner solution is quite remarkable and this is not something we routinely see.”

ESET has identified three strains of the miner targeted at macOS systems, and just one for Windows thus far.

As a warning to users, the researchers state that “obviously, the best advice to be protected against this kind of threat is to not download pirated copies of commercial software.”

Nonetheless, alongside high CPU consumption, they offer several hints to help users detect something might be awry, included trust popups from an unexpected, “additional” installer, or a new service added to the startup services list (Windows) or a new Launch Daemon (macOS).

Network connections to unusual domain names — due to scripts inside the virtual machine that contacting the C&C server to update the miner’s configuration — are another giveaway, the researchers add.

Yesterday, Cointelegraph published an in-depth report analyzing various malware deployments within the crypto industry, including for stealth crypto mining.

Tags
Related Posts
Trend Micro Detects Major Uptick in New Strain of XMR Malware Targeting China-Based Systems
Cybersecurity firm Trend Micro has detected a major uptick in monero (XMR) cryptojacking malware targeting China-based systems this spring. The news was revealed in an official Trend Micro announcement on June 5. As previously reported, cryptojacking is an industry term for stealth crypto mining attacks that work by installing malware that uses a computer’s processing power to mine for cryptocurrencies without the owner’s consent or knowledge. The XMR-focused malware — which wields malicious PowerShell scripts for illicit mining activities on Microsoft-based systems — reportedly surged against Chinese targets in mid-May. Hitting a peak on May 22, the wave of cryptojacking …
Altcoin / June 6, 2019
Interpol Collaborates With Cybersecurity Firm to Tackle Cryptojacking
Interpol has collaborated with cybersecurity firm Trend Micro to reduce cryptojacking affecting MikroTik routers across South-East Asia, according to a Jan. 8 press release. Though the collaboration reduced the number of affected devices by 78 percent, this is unlikely to have made a significant impact on mining hashrate. Cryptojacking is a malicious practice where attackers infect common devices with crypto mining malware, utilizing the victim’s resources to mine cryptocurrency. Cybersecurity firm Trend Micro collaborated with Interpol’s Global Complex for Innovation, based in Singapore, to sanitize MikroTik routers infected with mining malware. As part of the “Operation Goldfish Alpha,” Trend Micro …
Altcoin / Jan. 9, 2020
Japan Convicts Cryptojacker Who Misled Victims Over Monero Mining
A Japanese court has demanded a man who infected website visitors with cryptocurrency mining malware face justice — after acquitting him. As local daily news outlet The Mainichi reported on Feb. 7, the Tokyo High Court overturned a previous ruling which cleared the man, who was not named, of any wrongdoing. Visitors “not informed” of malware According to the original indictment, the 32-year-old web designer installed the Coinhive miner on his own website in October 2017. It was active for a month, using visitors’ devices to mine cryptocurrency for his own benefit — a practice known as “cryptojacking.” The man …
Altcoin / Feb. 7, 2020
Trend Micro: Outlaw Hacking Group’s Botnet Is Now Spreading a Monero Miner
Cybersecurity company Trend Micro claims to have detected a web address spreading a botnet featuring a monero (XMR) mining component alongside a backdoor. The malware was described on Trend Micro’s official blog on June 13. Per the report, the firm attributes the malware to Outlaw Hacking Group, as the techniques employed are almost the same used in its previous operations. The software in question also holds Distributed Denial of Service (DDoS) capabilities, “allowing the cybercriminals to monetize their botnet through cryptocurrency mining and by offering DDoS-for-hire services.” Trend Micro also believes that the creators of the malware in question are …
Altcoin / June 13, 2019
Report: Number of Routers Affected by Crypto Malware Doubled Since August, Reaching 415K
The number of MikroTik routers affected by cryptojacking malware has repotedly doubled since summer 2018, reaching 415,000, security researcher VriesHd tweeted Sunday, Dec. 2. Since August, VriesHd has been reporting on crypto malware that targets routers and forces them to mine cryptocurrencies along with the researchers from Bad Packets Report. They revealed that routers by Mikrotik, a Latvian manufacturer of network equipment, were compromised by at least 16 different types of malware including Coinhive, a cryptojacking software mining privacy-oriented cryptocurrency Monero (XMR). By September the estimated number of compromised routers surpassed 280,000, according to Bad Packets. In the recent tweet …
Altcoin / Dec. 6, 2018