ESET has warned of cross-platform software which is used to mine cryptocurrency.
Named LoudMiner, the malware uses virtualization software – QEMU on macOS and VirtualBox on Windows – to mine cryptocurrency on a Tiny Core Linux virtual machine. LoudMiner is distributed in pirated copies of audio software called VST (Virtual Studio Technology) and once an endpoint is infected, LoudMiner uses the compromised machines to mine cryptocurrency and uses SCP (Secure File Copy) with an embedded username and private SSH key to self-update.
ESET researchers said that the miner itself is based on XMRig (Monero) and uses a mining pool, and therefore it is impossible to retrace potential transactions.
“At the time of writing, there are 137 VST-related applications (42 for Windows and 95 for macOS) available on a single WordPress-based website with a domain registered on 24th August, 2018,” researchers said.
“The first application – Kontakt Native Instruments 5.7 for Windows – was uploaded on the same day. The size of the apps makes it impractical to analyze them all, but it seems safe to assume they are all Trojanized.”
In particular, LoudMiner targets audio applications which would be expected to have good processing power and high CPU consumption, and “are usually complex” to enable attackers to camouflage their VM images.
Marc-Etienne M.Léveillé, senior malware researcher, ESET. “These applications are typically complex and have a high CPU consumption, so users will not find this activity unusual. Using virtual machines instead of another leaner solution is quite remarkable, and is not something we have typically seen before.”