macOS targeted by evasive crypto-jacking malware

Posted:
in Mac Software
An investigation has discovered a new evasive crypto-jacking malware on macOS distributed through pirated versions of Final Cut Pro.

New malware targets macOS
New malware targets macOS


Jamf Threat Labs has spent the past few months tracking a family of malware that recently resurfaced. An earlier version is known in the security community, but the new iteration hasn't seen much detection.

During routine monitoring, Jamf received an alert about XMRig usage, a command-line tool for mining cryptocurrency. Although XMRig is frequently used for good, its customizable, open-source nature has also made it a well-liked option for bad actors.

The team found the malware hiding in pirated versions of Final Cut Pro, Apple's video editing software. This malicious version of Final Cut Pro was running XMRig in the background.

Embedded malware script. Source: Jamf Labs
Embedded malware script. Source: Jamf Labs


It uses the Invisible Internet Project (i2p) for communication, a private network layer that can anonymize traffic. The malware uses it to download malicious components and send mined currency to the attacker's wallet.

Jamf searched through The Pirate Bay, a famous repository for pirated music, movies, software, and other file categories. They downloaded the most recent torrent with the highest number of seeders and found it contained malware.

The uploader was the source of the malware and the source of the previously reported samples. Almost all the numerous uploads that started in 2019 were infected with a malicious payload to covertly mine cryptocurrency.

After a user installs the infected Final Cut Pro app, a process immediately starts to download and set up the malware and the XMRig command-line components. It disguises the mining as a "mdworker_local" process.

Staying protected

The researchers note that macOS Ventura can block the malicious app from running. It's due to the malware leaving the original code signing intact but modifying the application, failing the system security policy.

Gatekeeper blocking the app
Gatekeeper blocking the app


However, macOS Ventura doesn't prevent the miner from executing. So, by the time the user receives an error message saying Final Cut Pro is damaged and can't be opened, the malware has already been installed.

The team only found the error message on pirated Logic Pro and Final Cut Pro versions. However, a pirate version of Photoshop successfully launched the malicious and working components on macOS Ventura 13.2 and earlier.

The most obvious way to avoid malware is not to download pirated software. Final Cut Pro is expensive at $299.99, but iMovie and DaVinci Resolve are both free options.

VirusTotal image showing malicious binary with 0 detections from other vendors. Taken by Jamf Threat Labs on February 10, 2023
VirusTotal image showing malicious binary with 0 detections from other vendors. Taken by Jamf Threat Labs on February 10, 2023


At the time of discovery, Jamf found that the malware sample wasn't detected as malicious by any security vendors on VirusTotal, a website that can detect malware. From January 2023, a few unnamed vendors appeared to have started detecting the malware, however, some maliciously altered programs continue to go undetected.

Therefore, users might be unable to rely on their antimalware software to detect the infection -- at least for now.

Read on AppleInsider

Comments

  • Reply 1 of 11
    DAalsethDAalseth Posts: 2,974member
    This is the kind of s*** we will see more of if they force Apple to allow alternative markets onto macOS/iOS/ipadOS. Eventually you will find your HomePod mining crypto for some lowlife. 
    lkruppbloggerblogDooofuskillroynetroxjony0
  • Reply 2 of 11
    lkrupplkrupp Posts: 10,557member
    DAalseth said:
    This is the kind of s*** we will see more of if they force Apple to allow alternative markets onto macOS/iOS/ipadOS. Eventually you will find your HomePod mining crypto for some lowlife. 
    So how many Android phones are already mining crypto for some lowlife?
    muthuk_vanalingamkillroyjony0
  • Reply 3 of 11
    jimh2jimh2 Posts: 656member
    Stealing software and getting malware is no different from breaking into someone’s home in getting shot. Cannot feel bad for a bad side-effect of theft. 
    dewmeDooofuskillroynetroxjony0
  • Reply 4 of 11
    DAalsethDAalseth Posts: 2,974member
    lkrupp said:
    DAalseth said:
    This is the kind of s*** we will see more of if they force Apple to allow alternative markets onto macOS/iOS/ipadOS. Eventually you will find your HomePod mining crypto for some lowlife. 
    So how many Android phones are already mining crypto for some lowlife?
    Likely a lot of them, but the owners don’t know. They just complain that the old phone is “getting slow” and they buy a new one. (I used to know a lot of people who used Android.)
    killroyjony0
  • Reply 5 of 11
    DAalseth said:
    This is the kind of s*** we will see more of if they force Apple to allow alternative markets onto macOS/iOS/ipadOS. Eventually you will find your HomePod mining crypto for some lowlife. 

    Psst... software from non-Apple controlled sources has been allowed on macOS for about (*checks notes*) 39 years now.
    OferdewmekillroyFileMakerFellermaltz
  • Reply 6 of 11
    sflocalsflocal Posts: 6,123member
    In the old days of pre-internet, one could get their hands on pirated software without it hijacking your system without much concern.  Nowadays, there is no way in hell would I ever consider downloading pirated software from some sketchy site.  Considering all kinds of information a user keeps on their computer/phone, the possibilities for serious financial harm is real.  

    I have zero sympathy for folks that download these malware-ridden packages.
    dewmekillroyFileMakerFellerjony0
  • Reply 7 of 11
    Er, what about the fact MacOS blocks the app from running, but lets the malware install ok? That could be better! 
  • Reply 8 of 11
    Er, what about the fact MacOS blocks the app from running, but lets the malware install ok? That could be better! 
    It's not the just the execution of the app that causes the problem, it's the installer - you can define a script that runs after the actual installation to clean up temporary files and my guess is that the malware uses this option to grab the malicious payload and kick off the process.
    jony0
  • Reply 9 of 11
    Er, what about the fact MacOS blocks the app from running, but lets the malware install ok? That could be better! 
    It's not the just the execution of the app that causes the problem, it's the installer - you can define a script that runs after the actual installation to clean up temporary files and my guess is that the malware uses this option to grab the malicious payload and kick off the process.
    ...and it's even worse than that, as there is a pre-install script. Zoom used to hi-jack that to do their actual install!
  • Reply 10 of 11
    DAalseth said:
    This is the kind of s*** we will see more of if they force Apple to allow alternative markets onto macOS/iOS/ipadOS. Eventually you will find your HomePod mining crypto for some lowlife. 
    Freedom isn't safe, bro.
    But, perhaps on iPhone, it can be relatively safe. I heard of this about 6 years ago, but I'm quite sure that iOS's model of how applications run in the background prevents this, unlike Android's, which allows for apps explicitly running in the background, Apple just kills or pauses the app after a while. Cryptocurrency miners specifically aren't something I think you should be concerned about on iPhone, unless a malicious side-loaded app uses some type of exploit to install XMRig and i2p Pegasus style onto your iPhone.
    I feel most of the concern is apps that will try to scam, spam, and phish, like FaceStealer, which is already on both iOS and Android. Nothing new under the sun.
Sign In or Register to comment.