Description
Adversaries may leverage the compute resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability.
One common purpose for Compute Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood Blog 2017) Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Compute Hijacking and cryptocurrency mining.(Citation: CloudSploit - Unused AWS Regions) Containerized environments may also be targeted due to the ease of deployment via exposed APIs and the potential for scaling mining activities by deploying or compromising multiple containers within an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro Exposed Docker APIs)
Additionally, some cryptocurrency mining malware identify then kill off processes for competing malware to ensure it’s not competing for resources.(Citation: Trend Micro War of Crypto Miners)
Platforms
Threat Groups (4)
| ID | Group | Context |
|---|---|---|
| G0106 | Rocke | [Rocke](https://attack.mitre.org/groups/G0106) has distributed cryptomining malware.(Citation: Talos Rocke August 2018)(Citation: Unit 42 Rocke Januar... |
| G0108 | Blue Mockingbird | [Blue Mockingbird](https://attack.mitre.org/groups/G0108) has used XMRIG to mine cryptocurrency on victim systems.(Citation: RedCanary Mockingbird May... |
| G0139 | TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) has deployed XMRig Docker images to mine cryptocurrency.(Citation: Lacework TeamTNT May 2021)(Citatio... |
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) deployed a Monero cryptocurrency mining tool in a victim’s environment.(Citation: FireEye APT41 Aug 201... |
Associated Software (9)
| ID | Name | Type | Context |
|---|---|---|---|
| S0532 | Lucifer | Malware | [Lucifer](https://attack.mitre.org/software/S0532) can use system resources to mine cryptocurrency, dropping XMRig to mine Monero.(Citation: Unit 42 L... |
| S0468 | Skidmap | Malware | [Skidmap](https://attack.mitre.org/software/S0468) is a kernel-mode rootkit used for cryptocurrency mining.(Citation: Trend Micro Skidmap) |
| S0492 | CookieMiner | Malware | [CookieMiner](https://attack.mitre.org/software/S0492) has loaded coinmining software onto systems to mine for Koto cryptocurrency. (Citation: Unit42 ... |
| S0486 | Bonadan | Malware | [Bonadan](https://attack.mitre.org/software/S0486) can download an additional module which has a cryptocurrency mining extension.(Citation: ESET ForSS... |
| S0451 | LoudMiner | Malware | [LoudMiner](https://attack.mitre.org/software/S0451) harvested system resources to mine cryptocurrency, using XMRig to mine Monero.(Citation: ESET Lou... |
| S1111 | DarkGate | Malware | [DarkGate](https://attack.mitre.org/software/S1111) can deploy follow-on cryptocurrency mining payloads.(Citation: Ensilo Darkgate 2018) |
| S0434 | Imminent Monitor | Tool | [Imminent Monitor](https://attack.mitre.org/software/S0434) has the capability to run a cryptocurrency miner on the victim machine.(Citation: Imminent... |
| S0601 | Hildegard | Malware | [Hildegard](https://attack.mitre.org/software/S0601) has used xmrig to mine cryptocurrency.(Citation: Unit 42 Hildegard Malware) |
| S0599 | Kinsing | Malware | [Kinsing](https://attack.mitre.org/software/S0599) has created and run a Bitcoin cryptocurrency miner.(Citation: Aqua Kinsing April 2020)(Citation: Sy... |
References
- Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
- CloudSploit. (2019, June 8). The Danger of Unused AWS Regions. Retrieved October 8, 2019.
- GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April 17, 2019.
- Oliveira, A. (2019, May 30). Infected Containers Target Docker via Exposed APIs. Retrieved April 6, 2021.
- Oliveira, A., Fiser, D. (2020, September 10). War of Linux Cryptocurrency Miners: A Battle for Resources. Retrieved April 6, 2021.
Frequently Asked Questions
What is T1496.001 (Compute Hijacking)?
T1496.001 is a MITRE ATT&CK technique named 'Compute Hijacking'. It belongs to the Impact tactic(s). Adversaries may leverage the compute resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. One common purpose for [Compute H...
How can T1496.001 be detected?
Detection of T1496.001 (Compute Hijacking) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1496.001?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1496.001?
Known threat groups using T1496.001 include: Rocke, Blue Mockingbird, TeamTNT, APT41.