Malware Targeting macOS Users Through Trojanized Apps to Mine Cryptocurrency Illegally

On February 23, 2023, Jamf Threat Labs uncovered evasive cryptocurrency mining malware targeting macOS systems. The XMRig coin miner was being deployed as a trojanized version of the legitimate application Final Cut Pro, a video editing software from Apple.

The malicious mining process was found to be sourced from Pirate Bay, with uploads dating back to 2019. It is believed that the malware was delivered as a DMG file for Adobe Photoshop CC 2019.

Three generations of the malware have been observed since August 2019, with the latest iteration featuring sophisticated evasion techniques. For example, the malware uses a shell script to monitor the list of running processes and terminate the mining processes if Activity Monitor is present.

Once the user launches the pirated application, the code embedded in the executable connects to an actor-controlled server over i2p to download the XMRig component. The malware’s ability to fly under the radar has made it a highly effective distribution vector.

Apple has taken steps to combat such abuse by subjecting notarized apps to more stringent Gatekeeper checks in macOS Ventura. However, this did not prevent the miner from executing, and only prevented the modified version of Final Cut Pro from launching.