Last week, a new Mac-based cryptojacking attack was reported on Apple's forums, forcing users to unknowingly run software that mines the privacy coin Monero.
According to a blog post from Malwarebytes Labs, the software was discovered when a user noticed a process called “mshelper” consuming a suspiciously large amount of CPU time. The user said that mshelper was always showing up at a high level in the CPU section of Activity Monitor. They noticed this after installing BitDefender, which always told them that mshelper was deleting it. The user tried Malwarebytes, but to no avail.
One reader suggested running Etrecheck, which instantly identified the malware and allowed the victim to remove it.
Identifying Malware Components
Malwarebytes Labs said it found other suspicious processes installed and copies of the file.
A “dropper” is a program that installs malware. Mac malware is often installed by decoy documents that users accidentally open, downloads from pirate sites, or fake Adobe Flash Player installers. Droppers can still be hard for cryptocurrency miners to spot, but Malwarebytes Labs believes they are simple malware.
The researchers discovered the location of a launcher file called “pplauncher” that is managed by a launch daemon, which means the dropper likely had root privileges.
The pplauncher file is written in Golang for macOS and its purpose is to install and start a miner process. Golang requires some overhead to generate binary files for over 23,000 tasks. Its simple use indicates that the author is not very familiar with Mac devices.
Related article: Hackers inject cryptomining malware into 4,275 government websites, profiting just $24
Modeled after legal miners
The mshelper process appears to be an older version of the XMRig miner, a legitimate miner that can be deployed on Macs with Homebrew. Current information for XMRig indicates that it was built on May 7, 2018 using clang 9.0.0.
I got the same information from the mshelper process and it showed that it was built on 2018-03-26 with clang 9.0.0.
Malwarebytes Labs concluded that mshelper is a copy of the older XMRig used to create cryptocurrency for hackers' profit. pplauncher provides a command line statement with a parameter that specifies the user.
The researchers said the mining malware is not dangerous unless a user's Mac has a damaged fan or clogged vents that cause it to overheat.
Although mshelper is a legitimate tool that someone is misusing, it should still be removed like all malware.
The new malware, now known as OSX.ppminer, is in the same family as other cryptocurrency miners for macOS, including Creative Update, CpuMeaner and Pwnet.
Image from Shutterstock
The post Monero Mining Malware Attacks Apple Macs appeared first on CCN
