A Tiny Core Linux 9.0 image configured to run XMRig runs on a VM, rather than victim machines hosting the malware locally.
An unusual cryptocurrency miner, dubbed LoudMiner, is spreading via pirated copies of Virtual Studio Technology. It uses virtualization software to mine Monero on a Tiny Core Linux virtual machine – a unique approach, according to researchers.
Virtual Studio Technology (VST) is an audio plug-in software interface that integrates software synthesizers and effects in digital audio workstations. The idea is to simulate traditional recording studio functions. ESET analysts recently uncovered a WordPress-based website hawking trojanized packages that incorporate the popular software, including Propellerhead Reason, Ableton Live, Reaktor 6, AutoTune and others. In all, there are 137 VST-related applications (42 for Windows and 95 for macOS) available for download on the site.
Upon downloading, an unwitting audiophile’s computer would be infVirtual Studio Technology (VST)ected with LoudMiner, which consists of the VST application bundled with virtualization software, a Linux image and additional files used to achieve persistence. It uses the XMRig cryptominer hosted on a virtual machine. So far, three Mac versions and one Windows variant of the malware have been uncovered.
“Regarding the nature of the applications targeted, it is interesting to observe that their purpose is related to audio production,” wrote Michal Malik, researcher at ESET, in a posting on Thursday. “Thus, the machines that they are installed on should have good processing power and high CPU consumption will not surprise the users.”
Because the victim would also get a functioning version of the application that they expected, the attackers gain some air cover.
“These applications are usually complex, so it is not unexpected for them to be huge files,” Malik explained. “The attackers use this to their advantage to camouflage their virtual machine (VM) images.”
Despite the efforts at camouflage, victims quickly become aware that something’s amiss, thanks to system slowdowns, according to forum postings.
“Unfortunately, had to reinstall OSX, the problem was that Ableton Live 10, which I have downloaded it from a torrent site and not from the official site, installs a miner too, running at the background causing this,” said a user named “Macloni.”
“The same user attached screenshots of the Activity Monitor indicating 2 processes – qemu-system-x86_64 and tools-service – taking 25 percent of CPU resources and running as root,” said Malik, adding that some users found a full 100 percent of their CPU capacity hijacked.
Using a Virtual Machine
LoudMiner uses QEMU on macOS and VirtualBox on Windows to connect to a Linux image running on a VM – more specifically, it’s a Tiny Core Linux 9.0 image configured to run XMRig. The victim’s machine is added to a mining pool that the Linux image uses for CPU power.
Malik noted that that the decision by the malware authors to use VMs for performing the mining instead of hosting it locally on the victim’s computer is “quite remarkable and this is not something we routinely see” – although it’s not unheard of for legitimate miners to deploy the strategy to save money.
“User downloads the application and follows attached instructions on how to install it. LoudMiner is installed first, the actual VST software after,” he explained. “LoudMiner hides itself and becomes persistent on reboot. The Linux virtual machine is launched and the mining starts. Scripts inside the virtual machine can contact the C2 server to update the miner.”
He said that in order to identify a particular mining session, a file containing the IP address of the machine and the day’s date is created by the “idgenerator” script and its output is sent to the C2 server by the “updater.sh script.”
Because LoudMiner uses a mining pool, it’s impossible to retrace potential transactions to find out how successful the adversaries have been thus far, he added.
To avoid the threat, age-old advice applies: Don’t download pirated copies of commercial software. Malik also offered some hints to identify when an application contains unwanted code. Red flags include a trust popup from an unexpected, “additional” installer; high CPU consumption by a process one did not install (QEMU or VirtualBox in this case); a new service added to the startup services list; and network connections to curious domain names (such as system-update[.]info or system-check[.]services).