A cryptomining campaign using the XMRig utility in conjunction with a hacked copy of Final Cut Pro is available via torrent to trick unsuspecting users into mining Monero cryptocurrency without their consent, according to security researchers at Jamf Threat Labs.
The torrent was found on popular torrent site The Pirate Bay and uploaded by a user named wtfishthat34698409672, who also appears to have been sideloading other macOS apps, including Photoshop and Adobe's Logic Pro X, since at least 2019. All torrents uploaded by this person having a payload for crypto mining.
The payload itself remains undetected by most antivirus engines and further analysis revealed three main stages of development, each adding a more complex evasion mechanism. Security tools only detect the first version of the malware, which stopped circulating in April 2021. The second version was active between April 2021 and October 2021 and used base 64 encoding for malicious payloads hidden in the malware package. application.
Finally, the third and current version released in October 2021 and as of May 2022, it became the only variant distributed. This version also includes a new feature that masks malicious processes as system processes in Spotlight to avoid detection. It also presents a script that checks Activity Monitor and, if started, kills all malicious processes to remain hidden from the user.
That being said, the malware has been using an I2P (Invisible Internet Project) network layer for Command and Control (C2) communications to anonymize traffic and the feature persists across all versions of the malware.
The latest version of macOS, called Ventura, includes strict code checks to ensure that malicious apps cannot launch and hide malware from within user-facing apps. The threat actor attempted to bypass this verification by only partially modifying Final Cut Pro, keeping the original code signing certificate intact. Ventura will still not allow Final Cut Pro to run as it has been partially modified, but it does not stop the cryptomining payload from running.
computer beep reports that the malware is on Apple's radar and that the company is working on specific updates to XProtect to effectively block its execution. This includes all variants included in the jamf report also.
Pirated software is often a treasure trove of malware and can be extremely dangerous to download and use. It is recommended that users only use official app stores or sources, regardless of their operating system, to download and use any programs.
In the news: New S1deload malware is taking over Facebook and YouTube accounts
Someone who writes/edits/records/presents all things tech and when he's not, broadcasts himself racing virtual cars.
You can contact him here: [emailย protected]
