Skip to main content

Well-hidden Mac cryptomining malware found in pirate copies of Final Cut Pro; expect more [U]

Update: Apple has now commented on the findings – see the end of the piece.

Cybersecurity company Jamf Threat Labs has found Mac cryptomining malware in pirate copies of Final Cut Pro. The firm says that the cryptojacking malware was particularly well hidden, and not detected by most Mac security apps.

Jamf also warned that the power of Apple Silicon Macs is going to make them increasingly popular targets for cryptojacking – where malware uses your machine’s considerable processing power to mine cryptocurrencies for the benefit of attackers …

Background

As cryptocurrencies like Bitcoin have grown harder and harder to mine, demanding extensive GPU resources, there have been increasing incentives for bad actors to use cryptojacking techniques. This is where they get malware onto a significant number of other people’s devices in order to mine currency for them as a background process.

It’s no surprise that pirate software frequently contains malware, and cryptojacking is one of the more common examples. It’s a significant concern, because the malware will use a lot of your device’s resources, leaving less power to run your own apps.

Usually, Mac security software will detect this type of malware.

Well-hidden Mac cryptomining malware

However, Jamf Threat Labs found an example of Mac cryptomining malware that managed to evade detection – initially by all Mac security apps.

Over the past few months Jamf Threat Labs has been following a family of malware that resurfaced and has been operating undetected, despite an earlier iteration being a known quantity to the security community.

During routine monitoring of our threat detections seen in the wild, we encountered an alert indicating XMRig usage, a command line crypto-mining tool. While XMRig is commonly used for legitimate purposes, its adaptable, open-source design has also made it a popular choice for malicious actors.

This particular instance was of interest to us as it was executing under the guise of the Apple-developed video editing software, Final Cut Pro. Further investigation revealed that this was a modified, malicious version of Final Cut Pro that was executing XMRig in the background.

At the time of our discovery, this particular sample was not being detected as malicious by any security vendors on VirusTotal. A handful of vendors seemed to have started detecting the malware since January 2023, however, some of the maliciously modified applications continue to go unidentified.

The source was a well-known Pirate Bay uploader, whose cracked apps include Photoshop, Logic Pro, and Final Cut Pro.

The clever ways the malware hides

The method used to hide the malware from detection is somewhat involved – and Jamf said it was far better disguised than the first two generations.

The first generation used an API to gain the privileges needed to install a Launch Daemon. However, this needed password confirmation from the user, which was rather a giveaway. The second generation switched to a Launch Agent, which removed the password requirement, but would only run when the user opened the app. The third generation was where the malware got really sneaky.

When the user double-clicks the Final Cut Pro icon, the trojanized executable runs, kicking off the shell calls to orchestrate the malware setup. Contained within the same executable are two large base64 blobs that are decoded via shell calls. Decoding both of these blobs results in two corresponding tar archives.

One contains a working copy of Final Cut Pro. The other base64 encoded blob decodes to a customized executable responsible for handling the encrypted i2p traffic [ip2 is an alternative to TOR]. Once the embedded data has been decoded from base64 and unarchived, the resulting components are written to the /private/tmp/ directory as hidden files.

After executing the 12p executable, the setup script uses curl over i2p to connect to the malicious author’s web server and download the XMRig command line components that perform the covert mining. The version of Final Cut Pro that is launched and presented to the user is called from this directory and eventually removed from disk.

Hides from Activity Monitor too

The malware also has clever ways of hiding if a user gets suspicious about their machine running slowly, and opening Activity Monitor to check the running processes.

The script runs a continuous loop that checks the list of running processes every 3 seconds, looking for the Activity Monitor. If it finds the Activity Monitor, it immediately terminates all of its malicious processes.

Additionally, the malware processes are renamed to legitimate processes used by Spotlight, so even if the user did spot their brief appearance, it would not raise any red flags.

The malware is then relaunched next time the user opens the compromised app.

Ventura’s ongoing checks sometimes help

With macOS Ventura, Apple significantly increased malware protection. Originally, Gatekeeper would only check apps the first time they were opened. If they passed that check, they were marked as safe.

In Ventura, Gatekeeper checks that apps haven’t been modified when they are opened subsequently. In some cases, this results in an error message, telling you that the app is damaged and can’t be opened. However, by this point the malware has already been installed.

Additionally, Jamf found at least one case where a compromised version of Photoshop still successfully passes the Gatekeeper check.

As you’d expect, given the firm’s work, all known versions of this malware family are detected and blocked by Jamf Protect Threat Prevention.

Expect more Mac malware

Jamf cautions that the power of M-series Macs makes them extremely attractive targets for cryprojacking attacks, and that we can therefore expect a lot more Mac malware than we’ve seen in the past.

Just yesterday, Malwarebytes issued its 2023 State of Malware report, which included pointers to the most common Mac malware.

Update: Apple comment

Apple has now commented on the research, telling us:

We continue to update XProtect to block this malware, including the specific variants cited in JAMF’s research. Additionally, this malware family does not bypass Gatekeeper protections.

The Mac App Store provides the safest place to get software for the Mac. For software downloaded outside the Mac App Store, Apple uses industry-leading technical mechanisms, such as the Apple notary service and XProtect, to protect users by detecting malware and blocking it so it can’t run.

Photo: Mark Cruz/Unsplash

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear