People
using
pirated
versions
of
Apple’s
Final
Cut
Pro
video
editing
software
may
have
gotten
more
than
they
bargained
for
when
they
downloaded
the
software
from
the
many
illicit
torrents
through
which
it
is
available.
For
the
past
several
months
at
least,
an
unknown
threat
actor
has
used
a
pirated
version
of
the
macOS
software
to
deliver
the
XMRig
cryptocurrency
mining
tool
on
systems
belonging
to
people
who
downloaded
the
app.
Researchers
from
Jamf
who
recently
spotted
the
operation
have
been
unable
to
determine
how
many
users
might
have
installed
the
weaponized
software
on
their
system
and
currently
have
XMRig
running
on
them,
but
the
level
of
sharing
of
the
software
suggests
it
could
be
hundreds.
Potentially
Wide
Impact
for
XMRig
Jaron
Bradley,
macOS
detections
expert
at
Jamf,
says
his
company
spotted
over
400
seeders
—
or
users
who
have
the
complete
app
—
making
it
available
via
torrent
to
those
who
want
it.
The
security
vendor
found
that
the
individual
who
originally
uploaded
the
weaponized
version
of
Final
Cut
Pro
for
torrent
sharing
is
someone
with
a
multiyear
track
record
of
uploading
pirated
macOS
software
with
the
same
cryptominer.
Software
in
which
the
threat
actor
had
previously
sneaked
the
malware
into
includes
pirated
macOS
versions
of
Logic
Pro
and
Adobe
Photoshop.
“Given
the
relatively
high
number
of
seeders
and
[the
fact]
that
the
malware
author
has
been
motivated
enough
to
continuously
update
and
upload
the
malware
over
the
course
of
three
and
a
half
years,
we
suspect
it
has
a
fairly
wide
reach,”
Bradley
says.
Jamf
described
the
poisoned
Final
Cut
Pro
sample
that
it
discovered
as
a
new
and
improved
version
of
previous
samples
of
the
malware,
with
obfuscation
features
that
have
made
it
almost
invisible
to
malware
scanners
on
VirusTotal.
One
key
attribute
of
the
malware
is
its
use
of
the
Invisible
Internet
Project
(i2p)
protocol
for
communication.
I2p
is
a
private
network
layer
that
offers
users
similar
kind
of
anonymity
as
that
offered
by
The
Onion
Router
(Tor)
network.
All
i2p
traffic
exists
inside
the
network,
meaning
it
does
not
touch
the
Internet
directly.
“The
malware
author
never
reaches
out
to
a
website
located
anywhere
except
within
the
i2p
network,”
Bradley
says.
“All
attacker
tooling
is
downloaded
over
the
anonymous
i2p
network
and
mined
currency
is
sent
to
the
attackers’
wallet
over
i2p
as
well.”
With
the
pirated
version
of
Final
Cut
Pro
that
Jamf
discovered,
the
threat
actor
had
modified
the
main
binary
so
when
a
user
double
clicks
the
application
bundle
the
main
executable
is
a
malware
dropper.
The
dropper
is
responsible
for
carrying
out
all
further
malicious
activity
on
the
system
including
launching
the
cryptominer
in
the
background
and
then
displaying
the
pirated
application
to
the
user,
Bradley
says.
Continuous
Malware
Evolution
As
noted,
one
of
the
most
notable
differences
between
the
latest
version
of
the
malware
and
previous
versions
is
its
increased
stealth
—
but
this
has
been
a
pattern.
The
earliest
version
—
bundled
into
pirated
macOS
software
back
in
2019
—
was
the
least
stealthy
and
mined
cryptocurrency
all
the
time
whether
the
user
was
at
the
computer
or
not.
This
made
it
easy
to
spot. A
later
iteration
of
the
malware
got
sneakier;
it would
only
start
mining
cryptocurrency
when
the
user
opened
a
pirated
software
program.
“This
made
it
harder
for
users
to
detect
the
malware’s
activity,
but
it
would
keep
mining
until
the
user
logged
out
or
restarted
the
computer.
Additionally,
the
authors
started
using
a
technique
called
base
64
encoding
to
hide
suspicious
strings
of
code
associated
with
the
malware,
making
it
harder
for
antivirus
programs
to
detect,”
Bradley
says.
He
tells
Dark
Reading
that
with
the
latest
version,
the
malware
changes
the
process
name
to
look
identical
to
system
processes.
“This
makes
it
difficult
for
the
user
to
distinguish
the
malware
processes
from
native
ones
when
viewing
a
process
listing
using
a
command-line
tool.
One
feature
that
has
remained
consistent
through
the
different
versions
of
the
malware
is
its
constant
monitoring
of
the
“Activity
Monitor”
application.
Users
can
often
open
the
app
to
troubleshoot
problems
with
their
computers
and
in
doing
so
could
end
up
detecting
the
malware.
So,
“once
the
malware
detects
that
the
user
has
opened
the
Activity
Monitor,
it
immediately
stops
all
its
processes
to
avoid
detection.”
Instance
of
threat
actors
bundling
malware
into
pirated
macOS
apps
have
been
rare
and
far
between.
In
fact,
one
of
the
last
well-known
instances
of
such
an
operation
was
in
July
2020,
when
researchers
at
Malwarebytes
discovered
a
pirated
version
of
application
firewall
Little
Snitch
that
contained
a
downloader
for
a
macOS
ransomware
variant.
About Author
