Cryptocurrency mining malware deployed through trojanize macOS apps

Trojanize variations of authentic purposes deploy evasive cryptocurrency mining malware on macOS methods.

Jamf labs made inventions about XMRig usage, a command-line crypto-mining tool.

“This malware makes use of the Invisible Web Undertaking (i2p) […] to obtain malicious parts and ship mined foreign money to the attacker’s pockets,” Jamf researchers Matt Benyo, Ferdous Saljooki, and Jaron Bradley mentioned in a report: 

How does Jamf make sure that the organization's Apple devices stay secure and protected?

Meet Jamf Threat Labs (short JTL).
Their mission: Helping Jamf customers identify and remediate security risks.

This team of experienced threat researchers, cybers…https://t.co/q7RR55gAGG

— Patrick Phang (@panthers64) October 27, 2022

The malware has the potential to operate underneath the radar but attack the customers who are using pirated software which is something unlawful. This has made the distribution vector spread efficiently.

It was developed under Apple’s video editing software, Final Cut. At first, XMRig was not considered malicious. This is because its usage is commonly for legit purposes, it is adaptable, and it has an open-source design, making it a fascinating thing for hackers.

In January 2023, some vendors found it malicious; since then, cases have been reported. Even some of them are recognized now.

How does it work?

Adware is the most common macOS malware, but crypto jackets are taking their place now. It is based on new technology and is the advanced form, which is unable to detect.

The malware is designed to use an Invisible internet project (i2P), an alternative to Tor. Using this communication method makes it challenging to identify the source, and malicious downloads send mined currency to attackers’ wallets. 

Here’s how:

1. User downloads and double-clicks application bundle
2. Trojanized executable runs
3. Working base64 encoded Final Cut Pro executable extracted
4. Base64 encoded i2p executable extracted and disguised as mdworker_shared on execution
5. The Miner executable is pulled from the command and control server
6. Mining begins disguised as the mdworker_local process

Point to consider

It is essential to know that this error message was only seen on the pirated Logic Pro and Final Cut Pro (both are Apple titles). Pirated software delivered over peer-to-peer networks is an ideal malware delivery mechanism for multiple reasons. They come with trojans, malicious scripts, keyloggers, adware, and backdoors, leaving you helpless after the attack.

“Fake apps remain one of the top entry vectors on macOS, indicating Gatekeeper bypass techniques are an attractive and even a necessary capability for adversaries to leverage in attacks,” Bar-Or said.

Use a threat prevention tool 

All known versions of this malware family are detected and blocked by Jamf Protect Threat Prevention. Discovered malware samples were shared with Apple. As of version 2166, XProtect signatures have also been updated to defend against this threat.

Wrapping up

People have been using fake apps and pirated software but do not realize how they could trap us. Selling pirated copies of software and apps is a crime because they have been used to betray people. The authenticity of software is a thing that must be considered to avoid future problems.