A crypto mining campaign that uses the XMRig utility paired with a pirated copy of Final Cut Pro is available over torrent to trick unsuspecting users into mining the Monero cryptocurrency without their consent, according to security researchers at the Jamf Threat Labs.
The torrent was found on the popular torrent site The Pirate Bay and was uploaded by a user named wtfisthat34698409672, who also seems to have been uploading other macOS apps including Adobe’s Photoshop and Logic Pro X since at least 2019. All the torrents uploaded by this person have a payload for crypto mining.
The payload itself remains undetected by most antivirus engines and further analysis revealed three major development stages, each adding a more complex evasion mechanism. Security tools only detect the first version of the malware, which stopped circulating in April 2021. The second version was active between April 2021 and October 2021 and used base 64 encoding for the malicious payloads hidden in the app bundle.
Finally, the third and current version released in October 2021 and starting from May 2022, became the only variant being distributed. This version also includes a new feature that masks any malicious processes as system processes on Spotlight to avoid detection. It also features a script that checks for the Activity Monitor and if it’s launched, terminates all malicious processes to remain hidden from the user.
That said, the malware has been using an I2P (Invisible Internet Project) network layer for Command and Control (C2) communications to anonymise traffic and the feature persists across all versions of the malware.
The latest version of macOS, named Ventura includes strict code checks to ensure that malicious apps aren’t allowed to launch and hide malware from inside user-facing apps. The threat actor tried evading this check by only partially modifying Final Cut Pro, keeping the original code-signing certificate intact. Ventura will still not let Final Cut Pro run as it’s been partially modified, but it doesn’t stop the crypto mining payload from running.
BleepingComputer reports that the malware is on Apple’s radar and the company is working on targeted XProtect updates to effectively block it from executing. This includes all variants included in the Jamf report as well.
Pirated software is often a treasure trove of malware and can be extremely risky to download and use. It’s recommended that users only use official app stores or sources, regardless of their OS, to download and use any programs.
In the News: Novel S1deload malware is taking over Facebook and YouTube accounts
Someone who writes/edits/shoots/hosts all things tech and when he’s not, streams himself racing virtual cars.
You can contact him here: [email protected]