Resource Hijacking

Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability.

One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.[1] Servers and cloud-based[2] systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.(Citation: The MITR Corporation)

Procedure Examples

Name Description
APT41

APT41 deployed a Monero cryptocurrency mining tool in a victim’s environment.[3]

Rocke

Rocke has distributed cryptomining malware.[4][5]

Skidmap

Skidmap is a kernel-mode rootkit used for cryptocurrency mining.[6]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Consider monitoring process resource usage to determine anomalous activity associated with malicious hijacking of computer resources such as CPU, memory, and graphics processing resources. Monitor for suspicious use of network resources associated with cryptocurrency mining software. Monitor for common cryptomining software process names and files on local systems that may indicate compromise and resource usage.

References

Attachments

ID
VT0031
MITRE ID
Sub-techniques
No sub-techniques
Tactic
Impact
Platforms
AWS
Azure
GCP
Linux
Windows
macOS
Permissions Required
Administrator
User
Data Sources
AWS CloudTrail logs
Azure activity logs
Network device logs
Network protocol analysis
Process monitoring
Process use of network
Stackdriver logs
Impact Type
Availability
Version
1.1

Created: 06 January 2021

Last Modified: 06 January 2021