Researchers have uncovered yet another campaign that uses macOS applications to distribute malware and launch crypto mining operations.
A new crypto mining campaign has been targeting applications that work on macOS products and uses malicious application bundles to deploy open source XMRig crypto mining software and Invisible Internet Protocol (I2P) network tooling.
The first indicator of the campaign was suspicious multi-architecture binaries in a public malware repository. Further analysis revealed that this campaign employed techniques that were first used in the summer of 2021, according to researchers at Crowdstrike.
The identified applications appeared to be legitimate software like Apple Logic Pro X, Final Cut Pro, Traktor, and Adobe Creative Suite products, and their primary executable was a dropper that included I2P tooling and a genuine version of the application, said the report.
XMRig on Mac, new and improved
The dropper used I2P to download a custom XMRig miner and coordinate mining operations. XMRig on Macs is not new. However, unlike previous threats that utilized I2P and XMRig, this campaign used a legitimate application and scripts to deploy its tooling.
“Research began after identifying suspicious multi-architecture binaries within a public malware repository. Analysis of common samples shows that the techniques in this campaign date back to the summer of 2021,” said the report.
The malware campaign employs a dropper that tricks the victim into believing that they are installing a legitimate application.
“In order to appear as a working copy of Logic Pro X, the dropper contains a legitimate copy of the lure application. The dropper starts by generating a script to decode the legitimate Mach-O file. During this process a large Base64-encoded file is written to disk,” the report said.
Mac, malware, and installation
The malware is likely distributed via Apple Disk Images (DMGs), and the dropper binary is a universal Mach-O supporting both x86_64 and ARM architectures. It is located in the installed application bundle and executes when the application bundle is launched.
The dropper generates multiple randomly named files and folders in the /tmp/ directory and dynamically produces the script content with these generated values.
The dropper generates a script to decode the legitimate Mach-O file and create a mirrored application bundle in the host’s /tmp/ directory. The mirrored bundle contains the genuine application instead of the dropper binary.
The dropper then forks itself to launch the legitimate application, while the original dropper process continues to execute in order to orchestrate the mining operations. Two additional scripts are used to configure the I2P network tooling and download the XMRig mining software.
The dropper downloads a customized Mach-O from the open-source i2pd (I2P Daemon) project to use I2P for anonymous and end-to-end encrypted communications.
XMRig and macOS
This is neither the first instance of XMRig on Mac, nor the first instance of crypto mining malware planted on Macs through pirated software applications. Recently, security firm Jamf detected an XMRig implementation disguised as Apple’s Final Cut Pro video editing software.
“During routine monitoring of our threat detections in the wild, we encountered an alert indicating XMRig usage, a command-line crypto-mining tool. While XMRig is commonly used for legitimate purposes, its adaptable, open-source design has also made it a popular choice for malicious actors,” said the Jamf analysis report.
“This particular instance was of interest to us as it was executed under the guise of the Apple-developed video editing software, Final Cut Pro. Further investigation revealed that this malicious version of Final Cut Pro contained a modification unauthorized by Apple that was executing XMRig in the background.”
Coinminers and macOS
“Coinminers are one of the more profitable types of malware for malicious actors, and they require little maintenance once installed on a victim’s device,” said a Trend Micro report, which analyzed a coinminer sample sourced in early January 2022.
This unique malware, spread through the i2p network, utilizes open-source binaries to carry out its coinmining activities. The malware was found to be capable of evading detection by traditional antivirus software, and it also uses a highly encrypted network for communication, making it difficult to trace.
This Mac coinminer turned out to be advanced version of an older malware strain known as HiddenLotus. This malware too uses open-source binaries, such as XMRig and zcashd, to mine cryptocurrencies on infected machines.
