New Crypto Mining Malware Targets Macs

New Crypto Mining Malware Targets Macs

Mining Security
May 26, 2018 by Alexander Caruso
227
On Tuesday, cybersecurity firm Malwarebytes announced a new type of crypto mining malware in a blog post. The malware targets Mac computers and mines Monero using CPU power. Unwanted crypto mining software can be installed on users’ machines through a process known as ‘cryptojacking’, where malicious JavaScript is injected into a website to instruct a
crypto malware

On Tuesday, cybersecurity firm Malwarebytes announced a new type of crypto mining malware in a blog post. The malware targets Mac computers and mines Monero using CPU power. Unwanted crypto mining software can be installed on users’ machines through a process known as ‘cryptojacking’, where malicious JavaScript is injected into a website to instruct a user’s CPU to mine cryptocurrency, or where a user is tricked into installing crypto mining software. Fortunately, this new Mac mining malware is not very sophisticated or dangerous, and easy to remove.

The malware is easy to identify because it uses a significant amount of CPU capacity, which often causes users’ machine to heat up and activate fans, even if they are not using CPU heavy applications. This malware is only ‘dangerous’ for users whose machines have damaged fans or overheating problems.

The blog post, posted by Malwarebytes director of Mac and mobile Thomas Reed, explains how the Mac cryptominer malware works by using three distinct programs. First, a ‘dropper’ program is used to download the malware. At this point, the Malwarebytes team is unaware of the dropper program for this malware, but they believe it is something relatively simple, such as a fake Adobe Flash Player installer.

Second, a ‘launcher’ file named pplauncher is installed, which is used to install and launch the malware. Reed notes that pplauncher is a very large executable file (3.5 MB), written in the Golang programming language, which is an odd and probably sub-optimal choice. According to Reed:

“Using Golang introduces significant overhead, resulting in a binary file containing more than 23,000 functions. Using this for what appears to be simple functionality is probably a sign that the person who created it is not familiar with Macs.”

The ‘launcher’ installs and launches the miner itself, which is the mshelper process, a standard Mac process being abused in this case. The process seems to be “an older version of the legitimate XMRig miner . . . that is being used for the purpose of generating the cryptocurrency for the hacker behind the malware.”

The blog post linked above provides the file paths for all the malicious files associated with this malware, for any users that are suspicious that it is throttling their CPU. The post notes that Mac cryptomining is on the rise. Other recent Mac crypto mining malwares are Pwnet, CpuMeaner, and CreativeUpdate.

Add a comment

Loading data ...
Comparison
View chart compare
View table compare