It may sound strange, but it's true.
Dubbed "LoudMiner" and also "Bird Miner," the attack leverages command-line based virtualization software on targeted systems to silently boot an image of Tiny Core Linux OS that already contains a hacker-activated cryptocurrency mining software in it.
Isn't it interesting to use emulation to run single-platform malware on cross-platforms?
Spotted by researchers at ESET and Malwarebytes, attackers are distributing this malware bundled with pirated and cracked copies of VST (Virtual Studio Technology) software on the Internet and via Torrent network since August 2018.
VST applications contain sounds, effects, synthesizers, and other advanced editing features that allow tech-centric audio professionals to create music.
"Regarding the nature of the applications targeted, it is interesting to observe that their purpose is related to audio production; thus, the machines that they are installed on should have the good processing power and high CPU consumption will not surprise the users," ESET researchers said.
Researchers have found various malicious versions of nearly 137 VST-related applications, 42 of which are for Windows and 95 for macOS platform, including Propellerhead Reason, Ableton Live, Sylenth1, Nexus, Reaktor 6 and AutoTune.
For macOS systems, the software runs multiple shell scripts and uses the open-source Quick Emulator (QEMU) utility to launch the virtual Linux OS, and for Windows, it relies on VirtualBox for emulation.
Once installed and activated, the malware also gains persistence on the system by installing additional files and then launches virtual machines in the background.
These Linux OS images have already been pre-configured by attackers to launch cryptocurrency mining software automatically on the startup without ever needing a user to login and connect to the hacker's command-and-control servers.
"OVF file included in the Linux image describes the hardware configuration of the virtual machine: it uses 1GB of RAM and 2 CPU cores (with maximum usage of 90%)," ESET researchers said.
"The Linux image is Tiny Core Linux 9.0 configured to run XMRig, as well as some files and scripts to keep the miner updated continuously."
The malware "can run two images at once, each taking 128 MB of RAM and one CPU core" to mine simultaneously.
"Further, the fact that the malware runs two separate miners, each running from their own 130 MB Qemu image file, means that the malware consumes far more resources than necessary," Malwarebytes said.
The attack is another good reason why you should never trust unofficial and pirated software available on the Internet.