A cross plaftform malware that using infected machines to mine crypto currency, in this case “Monero”. The malware targeting both for macOS and Windows machine, is distributed with a light linux image, in macOS case its QEMU image that is used to , as a result of that, the malicious program is over 100MB and it disguise as audio production such as “Virtual DJ 8 Pro Infinity”.
The malware using a VST software (“Visual Studio Technology”) which is a software that contains the sounds, effects and editors that your MIDI controllers use to create music.
Both macOS and Windows malware has similar charectaristics:
- An application is bundled with virtualization software, a Linux image and additional files used to achieve persistence
- User downloads the application and follows attached instructions on how to install it.
- LoudMiner is installed first, the actual VST software after.
- LoudMiner hides itself and becomes persistent on reboot.
- The Linux virtual machine is launched and the mining starts.
- Scripts inside the virtual machine can contact the C&C server to update the miner (configuration and binaries).
LoudMiner macOS version has several main components:
- QEMU Linux image
- Shell scripts used to launch the QEMU images.
- Daemons used to start the shell scripts at boot and keep them running.
- CPU monitor shell script that monitor the CPU usage and can start/stop the mining based on it.
- LoudMiner: Cross‑platform mining in cracked VST software
- New Mac cryptominer Malwarebytes detects as Bird Miner runs by emulating Linux