Monero Mining Malware Hits Apple Macs

Join in the fun and play on the world’s First Hybrid on-line Casino with BTC and Fiat currency payments. Check on-line for latest promotions

A new Mac-based cryptojacking attack was reported this past week on Apple’s forums, forcing users to unwittingly run software that mines privacy coin monero.

According to a Malwarebytes Labs blog post, the software was discovered when a user noticed that a process called “mshelper” consumed suspiciously-large amounts of CPU time. The user said that mshelper was constantly appearing in the CPU section of their Activity Monitor at high levels. They noticed this after installing BitDefender, which constantly relayed that mshelper was deleting it. This user tried using Malwarebytes, which proved unhelpful.

One reader suggested running Etrecheck, which immediately identified the malware and allowed the victim to remove it.

Don’t forget to join our Telegram channel for Crypto, Business & Technolgy news delivered to you daily

Malware Components Identified

Malwarebytes Labs said there were other suspicious processes installed, for which it was able to find file copies.

The “dropper” is the program that installs the malware. Mac malware oftentimes is installed by decoy documents users mistakenly open, downloads from pirate sites, and false Adobe Flash Player installers. The dropper remained elusive for cryptominer, but Malwarebytes Labs believes it to be a simple malware.

The researchers found the location of a launcher file called “pplauncher,” which is maintained by a launch daemon. This means the dropper likely had root privileges.
The pplauncher file was written in Golang for macOS, its purpose being to install and begin the miner process. Golang requires a certain amount of overhead that causes a binary file of more than 23,000 tasks. To use this for a simple purpose indicates the creator is not highly knowledgeable about Mac devices.

Modelled On A Legitimate Miner

The mshelper process gives the appearance of an older version of XMRig miner, a legitimate miner that can be deployed using Homebrew on Macs. Information from the current XMRig indicates it was built on May 7, 2018 with clang 9.0.0.

When the same information was sought from the mshelper process, it indicated it was built on March 26, 2018, also with clang 9.0.0.

Malwarebytes Labs concluded that mshelper is an older XMRig copy used to create the cryptocurrency for the benefit of the hacker. The pplauncher gives command line statements, including a parameter that specifies the user.

The researchers said that the mining malware is not dangerous unless the user’s Mac has damaged fans or clogged vents that can result in overheating.

The mshelper is a legitimate tool that someone is abusing, but it still needs to be removed, as well as all of the malware.

The new malware — now known as OSX.ppminer — falls in line with cryptominers such as Creative Update, CpuMeaner and Pwnet for macOS.

Here at Dollar Destruction, we endeavour to bring to you the latest, most important news from around the globe. We scan the web looking for the most valuable content and dish it right up for you! The content of this article was provided by the source referenced. Dollar Destruction does not endorse and is not responsible for or liable for any content, accuracy, quality, advertising, products or other materials on this page. As always, we encourage you to perform your own research!

Author Lester Coleman
Image Credit