Trojanized versions of legitimate applications are being used to deploy evasive cryptocurrency mining malware on macOS systems.
Jamf Threat Labs, which made the discovery, said the XMRig coin miner ran as Apple’s video editing software, Final Cut Pro, and contained unauthorized modifications.
“This malware makes use of the Invisible Internet Project (i2p). […] It downloads a malicious component and sends the mined currency to the attacker’s wallet,” Jamf researchers Matt Benyo, Ferdous Saljooki, and Jaron Bradley said in a report shared with The Hacker News. increase.
Trend Micro notes that the malware uses i2p to hide network traffic and speculates that it may have been delivered as a DMG file for Adobe Photoshop CC 2019.
According to the Apple device management company, the source of the cryptojacking app can be traced back to Pirate Bay, with the first upload dating back to 2019.
The result is three generations of malware, first observed in August 2019, April 2021, and October 2021, representing an evolution in campaign sophistication and stealth.
An example of an evasion technique is a shell script that monitors the list of running processes for the presence of Activity Monitor and terminates the mining process if present.
The malicious mining process is that when a user launches a pirated application, code embedded in the executable connects via i2p to an attacker-controlled server and downloads the XMRig component.
Malware’s ability to fly under the radar, combined with the fact that users running cracked software are willing to do illegal things, has made the distribution vector very effective over the years. rice field.
However, Apple has taken steps to combat such exploits by subjecting notarized apps to stricter Gatekeeper checks in macOS Ventura, which prevents tampered apps from being launched. Preventing.
“On the other hand, macOS Ventura did not prevent the miner from running,” Jamf researchers said. “By the time the user receives the error her message, the malware has already been installed.”
“By preventing a modified version of Final Cut Pro from launching, not only could arouse suspicion among users, but it would also greatly reduce the likelihood that they would subsequently launch it.”
