Malicious actors are attempting to infect computers running Tiny Core Linux virtual machines with an XMRig-based cryptominer that's being bundled with pirated copies of Virtual Studio Technology (VST) software applications.
Dubbed LoudMiner, the Monero-mining software first appeared in August 2018, and works by abusing virtualization software – QEMU on macOS machines and VirtualBox on Windows devices.
ESET researchers have linked the scam to the web domain vstcrack[.]com, which they recently observed advertising 137 cracked VST-related apps – 95 for macOS and 42 for Windows. In a company blog post today, ESET detection engineer Michal Malik said the researchers can confirm the presence of LoudMiner on some of these apps, and are operating under the assumption that the remainder are also trojanized.
Virtual Studio Technology (VST) is an interface standard for integrating software synthesizer and audio effects into digital audio workstations. ESET believes the attackers' focus on VST users suggests they are targeting users who need machines with strong processing power and high CPU consumption. The blog post even takes note of forum threads in which users who downloaded one of the cracked apps complained it was eating up as much as 100 percent of their available resources.
Examples of cracked software apps – which are hosted on 29 external servers and frequently updated with newer versions – include Propellerhead Reason, Ableton Live, Sylenth1, Nexus, Reaktor 6 and AutoTune.
Each of these apps are bundled with virtualization software; a Linux image identified as Tiny Core Linux 9.0, configured to run SMRig; and additional files that allow the malware to achieve persistence so that they can survive reboot and immediately relaunch.
"...These applications are usually complex, so it is not unexpected for them to be huge files. The attackers use this to their advantage to camouflage their VM images," says Malik in the blog post. "Moreover, the decision to use virtual machines instead of a leaner solution is quite remarkable and this is not something we routinely see."
The researchers have uncovered four different versions of LoudMiner – three for macOS and one for Windows.
The three macOS versions all come with QEMU Linux images, shell scripts used to launch these images, and daemons for starting the shell scripts and keeping them running. They all also include a CPU monitor shell script and daemon combination that can start or stop mining activity based on CPU usage states and whether the user is running the Activity Monitor utility.
The Windows version is packaged as an MSI installer that delivers the cracked application, the VirtualBox driver and the Linux image.