Highly evasive cryptocurrency miner targets macOS
Researchers
warn
of
an
evasive
cryptojacking
malware
targeting
macOS
which
spreads
through
pirated
applications
Jamf
Threat
Labs
researchers
reported
that
an
evasive
cryptojacking
malware
targeting
macOS
was
spotted
spreading
under
the
guise
of
the
Apple-developed
video
editing
software,
Final
Cut
Pro.
Trojanized
versions
of
legitimate
applications
are
being
used
to
deploy
XMRig
cryptocurrency
miner
on
macOS
systems.
“Further
investigation
revealed
that
this
malicious
version
of
Final
Cut
Pro
contained
a
modification
unauthorized
by
Apple
that
was
executing
XMRig
in
the
background.”
reads
the
analysis
published
by
the
experts.
At
the
time
of
its
discovery,
the
sample
analyzed
by
the
experts
was
not
labeled
as
malicious
by
any
security
vendors
on
VirusTotal.
Today,
many
malicious
applications
continue
to
go
undetected
by
most
AV
vendors.
This
malware
relies
on
the
i2p
(Invisible
Internet
Project)
anonymization
network
for
communication.
The
malicious
code
uses
i2p
to
download
malicious
components
and
send
mined
currency
to
the
attacker’s
wallet.
The
researchers
noticed
similarities
with
other
examples
reported
by Trend
Micro in
February
2022.
However,
the
Jamf
Threat
Labs
pointed
out
that
there
were
still
discrepancies
and
unanswered
questions,
such
as
why
the
sample
they
found
was
so
evasive.
“We
downloaded
the
most
recent
torrent
with
the
highest
number
of
seeders
and
checked
the
hash
of
the
application
executable.
It
matched
the
hash
of
the
infected
Final
Cut
Pro
we
had
discovered
in
the
wild.
We
now
had
our
answer.”
continues
the
analysis.
“We
observed
that
the
torrent
was
uploaded
by
a
user
with
a
yearslong
track
record
of
uploading
pirated
macOS
software
torrents,
many
of
which
were
among
the
most
widely
shared
versions
for
their
respective
titles”
The
Jamf’s
report
revealed
that
the
tainted
app
was
distributed
through
Pirate
Bay
since
at
least
2019.
Jamf
was
able
to
identify
the
various
samples
of
the
malware
distributed
through
pirated
applications,
determining
when
they
appeared
in
the
torrent
community,
when
they
started
being
submitted
to
VirusTotal,
and
when
security
vendors
started
to
detect
the
malware.
This
allowed
the
cyber
security
firm
to
understand
the
malware
evolution
and
the
tactics
and
techniques
used
by
the
authors
to
avoid
detection.
The
experts
identified
three
generation
of
malware
since
August
2019.
The
first-generation
samples
were
using
the
AuthorizationExecuteWithPrivileges API
to
gain
elevated
privileges
and
install
the
Launch
Daemon
to
gain
persistence.
Later
first
generation
samples
changed
to
a
user
Launch
Agent,
which
would
not
require
the
conspicuous
password
prompt.
The
second-generation
samples
started
relying
on
the
user
launching
the
application
bundle
to
start
the
mining
process,
instead
of
gaining
persistence.
The
most
recent
variants
of
the
miner
hide
the
malicious
i2p
components
within
the
application
executable
using
base64
encoding.
The
report
states
that
despite
the
security
improvement
introduced
with
the
latest
macOS
version
Ventura,
it
was
still
possible
to
execute
cryptocurrency
miners
on
the
infected
system.
“On
the
other
hand,
macOS
Ventura
did
not
prevent
the
miner
from
executing.
By
the
time
the
user
receives
the
error
message,
that
malware
has
already
been
installed.”
concludes
the
report.
“It
did
prevent
the
modified
version
of
Final
Cut
Pro
from
launching,
which
could
raise
suspicion
for
the
user
as
well
as
greatly
reduce
the
probability
of
subsequent
launches
by
the
user.”
Follow
me
on
Twitter:
@securityaffairs
and
Facebook
and
Mastodon
(SecurityAffairs –
hacking,
malware)
Share
On
About Author
