An investigation has discovered a new elusive crypto-jacking malware on macOS distributed through pirated versions of Final Cut Pro.
New malware targets macOS
Jamf Threat Labs has spent the past few months tracking a family of malware that recently resurfaced. An earlier version is known in the security community, but the new iteration has not been widely spotted.
During routine monitoring, Jamf received an alert about the use of XMRig, a command-line tool for mining cryptocurrency. Although XMRig is often used for good, its customizable open source nature has also made it a well-liked option for bad actors.
The team found malware hidden in pirated versions of Final Cut Pro, Apple’s video editing software. This malicious version of Final Cut Pro ran XMRig in the background.
Embedded malware script. Source: Jamf Labs
It uses the Invisible Internet Project (i2p) for communication, a private network layer that can anonymize traffic. The malware uses it to download malicious components and send mined currency to the attacker’s wallet.
Jamf searched through The Pirate Bay, a well-known repository for pirated music, movies, software and other file categories. They downloaded the latest torrent with the highest number of seeders and found that it contained malware.
The loader was the source of the malware and the source of the previously reported samples. Almost all of the numerous uploads that started in 2019 were infected with a malicious payload for covert cryptocurrency mining.
After a user installs the infected Final Cut Pro app, a process immediately begins to download and configure the malware and the XMRig command-line components. It hides the mining operation as an “mdworker_local” process.
Stays protected
The researchers note that macOS Ventura can block the malicious app from running. It is due to malware that leaves the original code signature intact but modifies the application, failing the system’s security policy.
Gatekeeper blocks the app
However, MacOS Ventura does not prevent the miner from running. So when the user receives an error message that Final Cut Pro is damaged and cannot be opened, malware is already installed.
The team only found the error message on pirated Logic Pro and Final Cut Pro versions. However, a pirated version of Photoshop launched the malicious and working components on macOS Ventura 13.2 and earlier.
The most obvious way to avoid malware is to not download pirated software. Final Cut Pro is expensive at $299.99, but iMovie and DaVinci Resolve are both free options.
VirusTotal image showing malicious binary with 0 detections from other vendors. Retrieved by Jamf Threat Labs on February 10, 2023
At the time of discovery, Jamf found that the malware sample was not detected as malicious by any security vendors on VirusTotal, a website that can detect malware. As of January 2023, a few unnamed vendors appeared to have begun detecting malware, but some maliciously modified programs continue to remain undetected.
Therefore, users may not be able to rely on their antimalware software to detect the infection – at least for now.
