A cross plaftform malware that using infected machines to mine crypto currency, in this case “Monero”. The malware targeting both for macOS and Windows machine, is distributed with a light linux image, in macOS case its QEMU image that is used to , as a result of that, the malicious program is over 100MB and it disguise as audio production such as “Virtual DJ 8 Pro Infinity”.

Source: ESET


The malware using a VST software (“Visual Studio Technology”) which is a software that contains the sounds, effects and editors that your MIDI controllers use to create music.

Both macOS and Windows malware has similar charectaristics:

  1. An application is bundled with virtualization software, a Linux image and additional files used to achieve persistence
  2. User downloads the application and follows attached instructions on how to install it.
  3. LoudMiner is installed first, the actual VST software after.
  4. LoudMiner hides itself and becomes persistent on reboot.
  5. The Linux virtual machine is launched and the mining starts.
  6. Scripts inside the virtual machine can contact the C&C server to update the miner (configuration and binaries).

Source: ESET


LoudMiner macOS version has several main components:

  1. QEMU Linux image
  2. Shell scripts used to launch the QEMU images.
  3. Daemons used to start the shell scripts at boot and keep them running.
  4. CPU monitor shell script that monitor the CPU usage and can start/stop the mining based on it.

Source: ESET


Links:


Samples:
71030028c4e1b844c85138bd77ddea96a190ec2c
32c80edcec4f7bb3b494e8949c6f2014b7f5db65
7dc9f8ca07cd8e0247cf15cd8d2da2190a02fc90
e9c9d17d006fb03d67b736c0826df0af8ca6d5fd