Security firm ESET has released details of a malicious cross-platform cryptocurrency miner dubbed LoudMiner.
LoudMiner uses QEMU on macOS or VirtualBox on Windows to run a Tiny Core Linux virtual machine that mines the Monero cryptocurrency.
The stealthy cryptominer is bundled with 137 pirated versions of audio applications for Windows and macOS that support VST plugins and are listed at a single site identified by ESET but hosted on 29 external servers. The software offered by the site includes illicit versions of Propellerhead Reason, Ableton Live, Sylenth1, Nexus, Reaktor 6 and AutoTune.
“LoudMiner targets audio applications, given the machines running these applications often have a higher processing power,” said ESET senior malware researcher Marc-Etienne M. Léveillé.
“These applications are typically complex and have a high CPU consumption, so users will not find this activity unusual. Using virtual machines instead of another leaner solution is quite remarkable, and is not something we have typically seen before.”
LoudMiner has been observed since August 2018, ESET said, and uses SCP to self-update.
Both the macOS and Windows versions operate much the same way: After the user downloads the pirated application LoudMiner is installed first followed by the VST software. The cryptominer conceals itself and becomes persistent on reboot, contacting a C&C server to update itself if necessary.
Three macOS and one Windows variation have been identified by ESET.
The miner is based on XMRig and uses a mining pool, which makes it impossible to trace transactions, according to an analysis of LoudMiner posted by ESET’s Michal Malik.