Cryptominer LoudMiner disguises as VST-plug-ins and programs for recording music

Pirate music software is a common phenomenon in the music industry, which continues to live and develop. Every year, numerous release groups distribute gigabytes of hardware software, but until today, the credibility of ISO and RAR archives was high.

The latest report from the developers of the ESET Antivirus antivirus says that pirates used the musicians computers unnoticed to extract Bitcoin and other cryptocurrencies through the hidden miner LoudMiner. ESET researchers published an article called “LoudMiner: Cross-platform mining in cracked VST software,” which reported that they analyzed 137 images and archives with plug-ins and other music programs.

This list includes free versions of such popular programs and plug-ins as Native Instruments Kontakt 5.7, Propellerhead Reason, Ableton Live, Lennar Digital Sylenth1, ReFX Nexus and Antares AutoTune, downloaded from major torrent trackers and Varez blogs. Most of the archives and installers were supplied with the crypto miner LoudMiner, which was installed in the system along with the main software for working with sound.

According to the report, creators of LoudMiner cryptominer used the fact that VST-plug-ins and DAW heavily load the computer's processor - it was maxed out by working samplers, synthesizers and equalizers. Users did not notice the work of the miner, writing off the increased load on the system to work plug-ins, although in fact the computer was used for the extraction of cryptocurrency.

The first messages about LoudMiner appeared in August 2018, and Native Instruments Kontakt is considered to be the first infected program. Gradually, the network reported on increased processor activity when working with music programs and plug-ins, with the peak of user complaints in June 2019.

According to the researchers, the crypto miner works using QEMU virtualization programs on macOS and VirtualBox on Windows. During installation, the miner penetrates deeply into the system and after a while begins to produce Monero cryptocurrency. At the same time, the principle of LoudMiner operation is rather cunning: it is copied into macOS during installation by a special script and hangs in memory by the unkillable qemu-system-x86_64 process, in Windows it disguises the need to install the VirtualBox driver.

ESET recommends that all users check their system for viruses and avoid pirated software. You can read the study details and conclusions of ESET here.