When something is free, chances are pretty high that “the user” is the product. Services that are free usually generate value for the creator or provider by sharing exposure with advertisers or perhaps using the data collected from the “free” product for other means such as market studies or product testing before a final product. But sometimes free is the juicy apple with a parasite waiting to land its hook inside the consumer’s gut.
Researchers from ESET and Malwarebytes labs have found cryptominers within high end music production software products provided for free to download and use. Named LoudMinerby ESET and simultaneously named Bird Miner by MalwareBytes Labs, the cryptominer hides by bundling itself inside already large files. The pirated versions of Virtual Studio Technology programs seem to function normally except that they are slower due to increased processor load. This obfuscation not only hides the existence of the additional malicious installation software, but also focuses their targets on users with high processing power: users who need to process visual and audio media. These two operate themselves within a lightweight virtual machine(VM) in the background. This keeps it hidden from the user, but also generalizes itself for both Mac, Windows, and Linux users, lowering the skill threshold of the developer.
The cryptominer hides itself once installed by watching the usage of the Activity Monitor, pausing its functions when it might be watched and can consume of up to 90% of the CPU. While the user might notice difficulties, troubleshooting it will be more troublesome than just looking at what’s running. It can even detect what kind of CPU is used and how many cores are available, running up to two VMs simultaneously to more efficiently siphon off processing power. The Mac version runs QEMU, and the Windows version runs VirtualBox, and while the installation of the emulators require a trust verification, they name themselves “Oracle Corporation Network Service” to disguise their clandestine nature while setting the folders to which they are installed to hidden. The VM runs a version of Linux called Tiny Core Linux 9.0 and is set to mine Monero using XMRig, mining to a Mining pool. Profits are shared with other Monero users in the mining pool, but they are also untraceable to the attacker.
It is always inadvisable to use pirated software, but if one ends up using software from less than reputable sources, be wary of unexpected CPU consumption, trust requests, services, or launch Daemons. While it can be nice to provide some value to a service that is otherwise free, it’s definitely better when you’re an aware and willing participant.