Trojanized versions of legitimate applications are being used to deploy evasive cryptocurrency mining malware on macOS systems.
Jamf Threat Labs, which made the discovery, said the XMRig coin miner was run as Final Cut Pro, Apple's video editing software, which contained an unauthorized modification.
"This malware makes use of the Invisible Internet Project (i2p) [...] to download malicious components and send mined currency to the attacker's wallet," Jamf researchers Matt Benyo, Ferdous Saljooki, and Jaron Bradley saying in a report shared with The Hacker News.
An earlier iteration of the campaign was documented exactly one year ago by Trend Micro, which pointed out the malware's use of i2p to hide network traffic and speculated that it might have been delivered as a DMG file for Adobe Photoshop CC 2019.
Apple's device management company said the source of the cryptojacking apps can be traced back to Pirate Bay, with the first uploads dating back to 2019.
The result is the discovery of three generations of the malware, first observed in August 2019, April 2021, and October 2021, charting the evolution of the campaign's sophistication and stealth.
An example of the evasion technique is a shell script that monitors the list of running processes for the presence of activity trackerand if so, terminate the mining processes.
The malicious mining process relies on the user launching the hacked application, upon which the code embedded in the executable connects to a server controlled by the actor via i2p to download the XMRig component.
The malware's ability to remain undetected, coupled with the fact that users running cracked software are willingly doing something illegal, has made a very effective distribution vector for many years.
However, Apple has taken steps to combat such abuse by subjecting notarized apps to more stringent controls. goalkeeper checks in macOS Ventura, thus preventing tampered applications from launching.
"On the other hand, macOS Ventura did not prevent the miner from running," the Jamf researchers noted. "By the time the user gets the error message, that malware has already been installed."
"Prevented the modified version of Final Cut Pro from launching, which could raise suspicions for the user and greatly reduce the likelihood of the user launching later."
