New Crypto Mining Malware Targets Macs
The malware is easy to identify because it uses a significant amount of CPU capacity, which often causes users’ machine to heat up and activate fans, even if they are not using CPU heavy applications. This malware is only ‘dangerous’ for users whose machines have damaged fans or overheating problems.
The blog post, posted by Malwarebytes director of Mac and mobile Thomas Reed, explains how the Mac cryptominer malware works by using three distinct programs. First, a ‘dropper’ program is used to download the malware. At this point, the Malwarebytes team is unaware of the dropper program for this malware, but they believe it is something relatively simple, such as a fake Adobe Flash Player installer.
Second, a ‘launcher’ file named pplauncher is installed, which is used to install and launch the malware. Reed notes that pplauncher is a very large executable file (3.5 MB), written in the Golang programming language, which is an odd and probably sub-optimal choice. According to Reed:
“Using Golang introduces significant overhead, resulting in a binary file containing more than 23,000 functions. Using this for what appears to be simple functionality is probably a sign that the person who created it is not familiar with Macs.”
The ‘launcher’ installs and launches the miner itself, which is the mshelper process, a standard Mac process being abused in this case. The process seems to be “an older version of the legitimate XMRig miner . . . that is being used for the purpose of generating the cryptocurrency for the hacker behind the malware.”
The blog post linked above provides the file paths for all the malicious files associated with this malware, for any users that are suspicious that it is throttling their CPU. The post notes that Mac cryptomining is on the rise. Other recent Mac crypto mining malwares are Pwnet, CpuMeaner, and CreativeUpdate.