June 20, 2019

LoudMiner uses virtualisation software in an “unusual case” of cryptojacking

By Ellen Daniel

IT security specialists ESET has identified an unusual new cryptocurrency miner, known as LoudMiner, that utilises virtualisation to infect the machines of unsuspecting users.

Described by ESET as “an unusual case” LoudMiner uses virtualisation software, either QEMU on macOS or VirtualBox on Windows, to mine cryptocurrency on a Tiny Core Linux virtual machine.

Virtualisation refers to creating a virtual version of a computer operating system on another machine. In the context of cryptocurrency mining, individuals can harness RAM or GPU of an infected machine to mine cryptocurrency, before transferring it to their own machine.

How LoudMiner is being used to mine cryptocurrency

According to ESET, LoudMiner has been in use since August 2018, and works by infecting PCs or through pirated copies of a type of audio software plugin interface called VST (Virtual Studio Technology). The compromised machine is then used to mine cryptocurrency without its owner’s knowledge.

As this is software used for audio production, this type of plugin would typically be installed on machines that have good processing power, meaning that an increase in CPU usage would often go undetected by users. However, ESET has said that using virtual machines for this purpose is not something that they “routinely see”.

Marc-Etienne M. Léveillé, senior malware researcher at ESET explains how this works:

“LoudMiner targets audio applications, given the machines running these applications often have a higher processing power. These applications are typically complex and have a high CPU consumption, so users will not find this activity unusual.”

He also comments that this is an unusual case of cryptocurrency mining:

“Using virtual machines instead of another leaner solution is quite remarkable, and is not something we have typically seen before.”

Cryptojacking using techniques such as this can create problems for the user of the compromised machine, and can cause lasting damage to the device.

When a device has been infected, CPU uses increases, making the machine run slowly, shortening battery life and causing the machine to behave strangely. This could eventually lead to the device being unusable.

In order to prevent this, ESET warns against downloading pirated copies of commercial software and advises users to beware of signs that a computer may have been cryptojacked, such as popups from unexpected “additional” installers, higher CPU consumption, as well as new services and connections from unknown domain names.

Read more: Ransomware drop as cybercriminals find better money in cryptojacking

Verdict deals analysis methodology

This analysis considers only announced and completed deals from the GlobalData financial deals database and excludes all terminated and rumoured deals. Country and industry are defined according to the headquarters and dominant industry of the target firm. The term ‘acquisition’ refers to both completed deals and those in the bidding stage.

GlobalData tracks real-time data concerning all merger and acquisition, private equity/venture capital and asset transaction activity around the world from thousands of company websites and other reliable sources.

More in-depth reports and analysis on all reported deals are available for subscribers to GlobalData’s deals database.

Topics in this article: