LoudMiner used a batch script to run the Linux virtual machine as a service.^[1]

LoudMiner used shell scripts to launch various services and to start/stop the QEMU virtualization.^[1]

LoudMiner can automatically launch a Linux virtual machine as a service at startup if the AutoStart option is enabled in the VBoxVmService configuration file.^[1]

LoudMiner adds plist files with the naming formatcom.[random_name].plist in the/Library/LaunchDaemons folder with the RunAtLoad and KeepAlive keys set totrue.^[1]

LoudMiner is typically bundled with pirated copies of Virtual Studio Technology (VST) for Windows and macOS.^[1]

LoudMiner has set the attributes of the VirtualBox directory and VBoxVmService parent directory to "hidden".^[1]

LoudMiner has used QEMU and VirtualBox to run a Tiny Core Linux virtual machine, which runs XMRig and makes connections to the C2 server for updates.^[1]

LoudMiner deleted installation files after completion.^[1]

LoudMiner used SCP to update the miner from the C2.^[1]

LoudMiner has obfuscated various scripts.^[1]

LoudMiner has encrypted DMG files.^[1]

LoudMiner used theps command to monitor the running processes on the system.^[1]

LoudMiner harvested system resources to mine cryptocurrency, using XMRig to mine Monero.^[1]

LoudMiner used an MSI installer to install the virtualization software.^[1]

LoudMiner has monitored CPU usage.^[1]

LoudMiner used a script to gather the IP address of the infected machine before sending to the C2.^[1]

LoudMiner launched the QEMU services in the/Library/LaunchDaemons/ folder usinglaunchctl. It also useslaunchctl to unload allLaunch Daemons when updating to a newer version ofLoudMiner.^[1]

LoudMiner started the cryptomining virtual machine as a service on the infected machine.^[1]