A cross plaftform malware that using infected machines to mine crypto currency, in this case “Monero”. The malware targeting both for macOS and Windows machine, is distributed with a light linux image, in macOS case its QEMU image that is used to , as a result of that, the malicious program is over 100MB and it disguise as audio production such as “Virtual DJ 8 Pro Infinity”.

Source: ESET

The malware using a VST software (“Visual Studio Technology”) which is a software that contains the sounds, effects and editors that your MIDI controllers use to create music.

Both macOS and Windows malware has similar charectaristics:

  1. An application is bundled with virtualization software, a Linux image and additional files used to achieve persistence
  2. User downloads the application and follows attached instructions on how to install it.
  3. LoudMiner is installed first, the actual VST software after.
  4. LoudMiner hides itself and becomes persistent on reboot.
  5. The Linux virtual machine is launched and the mining starts.
  6. Scripts inside the virtual machine can contact the C&C server to update the miner (configuration and binaries).

Source: ESET

LoudMiner macOS version has several main components:

  1. QEMU Linux image
  2. Shell scripts used to launch the QEMU images.
  3. Daemons used to start the shell scripts at boot and keep them running.
  4. CPU monitor shell script that monitor the CPU usage and can start/stop the mining based on it.

Source: ESET