Security researchers discovered a cryptomining operation targeting macOS with a malicious version of Final Cut Pro that remains largely undetected by antivirus engines.
They found that the malicious variant was distributed over torrent and executed the XMRig utility that mines for Monero cryptocurrency.
Evolution of a macOS threat
The Jamf Threat Labs team found this particular macOS threat and tracked it to malicious torrents shared over The Pirate Bay by a user named wtfisthat34698409672.
It appears that the user had been uploading other macOS apps like Adobe Photoshop and Logic Pro X since 2019, all of them containing a payload for cryptocurrency mining.
Deeper analysis led the researchers to the conclusion that the malware had undergone three major development stages, each time adding more complex evasion techniques.
The three generations of the macOS malware (Jamf)
Notably, security tools today consistently detect only the first generation of the threat, which stopped circulating in April 2021.
From the first generation, the malware used an i2p (Invisible Internet Project) network layer for command and control (C2) communications to anonymize traffic. This feature persists across all versions of the malware.
Infection chain diagram (Jamf)
The second generation of the malware appeared relatively briefly between April 2021 and October 2021, featuring base 64 encoding for executables hidden in the app bundle.
Base64 encoded blobs and shell commands in executable (Jamf)
The third and current generation appeared on October 2021. Starting from May 2022, it became the only variant distributed in the wild. A new feature of this variant is that it can disguise its malicious processes as system processes on Spotlight to evade detection.
Moreover, the latest version incorporates a script that constantly checks for the Activity Monitor, and if it’s launched, it immediately terminates all of its processes to remain hidden from the user’s inspections.
Anti-Activity Monitor script (Jamf)
Ventura and the road ahead
The latest version of macOS, codenamed “Ventura,” introduces more stringent code-signing checks that threaten to make hiding and launching malware from inside user-launched apps, especially pirated ones, ineffective.
In this case, the pirates modified Final Cut Pro only partially, keeping the original code-signing certificate intact. However, Ventura still invalidated it because it detected a modification in the software content.
However, this only prevented the legitimate application from running, not the cryptocurrency miner, so Apple’s new security system still has some way to go to protect the user effectively.
In conclusion, the recommendation is to avoid downloading pirated software from peer-to-peer networks, as these are almost always ridden with malware or adware.
Update 2/24 – An Apple spokesperson told BleepingComputer that this particular malware is on their radar, and they work on targeted XProtect updates to effectively block it. This includes specific variants cited in JAMF’s report.
However, it is important to highlight that this malware family isn’t able to bypass Gatekeeper protections, and hence it does not constitute an unchained threat to macOS users.
The Mac App Store provides the safest place to get software for the Mac. For software downloaded outside the Mac App Store, Apple uses industry-leading technical mechanisms, such as the Apple notary service and XProtect, to protect users by detecting malware and blocking it so it can’t run.