LoudMiner Threat Report: What Is LoudMiner Malware and How does It Work?

The LoudMiner malware may abuse the Windows command shell for execution, and may attempt to get information about running processes on a system in order to gain an understanding of common software/applications running on systems within the network.

Additionally, LoudMiner may delete files left behind by the actions of their intrusion activity, and may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents.LoudMiner may exploit vulnerabilities in web browsers to gain access to a system. It may also use Launch Daemons to execute malicious payloads as part of persistence. Additionally, it may copy tools or other files from an external system, abuse Unix shell commands and scripts, or abuse msiexec.exe to proxy execution of malicious payloads.

LoudMiner Malware Capabilities

• LoudMiner may attempt to get information about running processes on a system in order to gain an understanding of common software/applications running on systems within the network. Additionally, LoudMiner may use information from process discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. 
• LoudMiner may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems.
• The LoudMiner malware may delete files, encrypt or obfuscate files, and abuse the Windows service control manager in order to execute malicious commands or payloads. This behavior may be used in order to evade defenses and avoid detection.
• LoudMiner may use a variety of techniques to evade detection, including creating or modifying Windows services to repeatedly execute malicious payloads, setting files and directories to be hidden, and carrying out malicious operations using a virtual instance. By doing so, the adversary can hide their activities from security tools and make it difficult to trace their activity back to the compromised host.
• LoudMiner may gain access to a system by having a user visit a website. It may exploit the user's web browser or use a compromised website for non-exploitation behavior. 
• LoudMiner may use information from system information discovery during automated discovery to shape follow-on behaviors. This may include whether or not the adversary fully infects the target and/or attempts specific actions. 
• LoudMiner may create or modify Launch Daemons to execute malicious payloads as part of persistence. 
• LoudMiner may transfer tools or files from an external system to a compromised environment in order to execute various tasks. This could impact system availability.

Ways to Mitigate LoudMiner Malware Attacks

• The LoudMiner malware can be mitigated by restricting the usage of scripts for normal users, and by capturing scripts from the file system in order to determine their actions and intent. Additionally, system and network discovery techniques should be used in order to identify suspicious behavior that could lead to further attacks.
• The LoudMiner malware can be mitigated by monitoring command-line functions, detecting file obfuscation, and changes to service Registry entries.
• LoudMiner malware can be mitigated by monitoring processes and command-line arguments for actions that could create or modify services, collecting service utility execution and service binary path arguments used for analysis, monitoring the file system and shell commands for files being created with a leading "." and the Windows command-line use of attrib.exe to add the hidden attribute, and considering monitoring for files and processes associated with running a virtual instance.
• The LoudMiner malware can be mitigated by using firewalls and proxies to inspect URLs for known-bad domains or parameters, and by doing reputation-based analytics on websites and their requested resources. Additionally, system and network discovery techniques can be used to monitor for new files added to the /Library/LaunchDaemons/ folder.
• The LoudMiner malware can be mitigated by monitoring for file creation and transfer, unusual processes with external network connections, and the use of utilities that are not normally used. Additionally, Unix shell usage may be suspicious if it is not commonly used on a system. Finally, process resource usage can be monitored for anomalous activity that may indicate a compromise.