Evasive cryptocurrency mining malware is being installed on macOS devices via trojanized copies of trusted software. The XMRig currency miner was operated as Apple’s Final Cut Pro, a video editing program, which Jamf Threat Labs, the company that discovered the discovery, said had an unapproved modification.
“This malware makes use of the Invisible Internet Project (i2p) […] to download malicious components and send mined currency to the attacker’s wallet,” Jamf researchers Ferdous Saljooki, Matt Benyo, and Jaron Bradley said in a report.
Trend Micro documented a previous variant of the campaign precisely one year prior, noting the malware’s usage of i2p to obfuscate network data and speculating that it could have been distributed as a DMG file for Adobe Photoshop CC 2019. The Apple device management business said that the earliest uploads to Pirate Bay, the source of the cryptojacking applications, date back to 2019.
Consequently, three malware generations that show the development of the campaign’s stealth and complexity were found. These were initially seen in August 2019, April 2021, and October 2021. A shell script that checks the list of active processes to see whether Activity Monitor is there and if it terminates the mining processes illustrates an evasion strategy.
The infamous mining procedure depends on the user starting the pirated program; after that, malware in the executable establishes an i2p connection to an actor-controlled server to download the XMRig component. Given that users using cracked software knowingly engage in criminal activity and that the malware may evade detection, the distribution channel has long been very successful.
To tackle this exploitation, Apple has included more rigorous Gatekeeper checks for notarized programs in macOS Ventura, which stops modified apps from being run. According to Jamf researchers, the miner could still run under macOS Ventura. The infection is already set up when the user sees the error message. It prevented the modified version of Final Cut Pro from running, making the user suspicious and considerably decreasing the likelihood that they will relaunch it.