Cybersecurity research firm, Jamf Threat Labs has found that a new crypto-mining malware on macOS injected through pirated versions of popular editing tools like Final Cut Pro, Logic Pro, and Photoshop.
While investigating a family of malware, the researchers found a new iteration of an older crypto-mining macOS malware after they receive an alert about XMRig usage. As XMRig is a command-line tool for mining cryptocurrency, its open-source nature is misused by malicious attackers to inject malware.
Evasive crypto-jacking malware can bypass security protocol in the latest macOS Ventura
The report details that pirated version of Final Cut Pro hid the malware using the Invisible Internet Project (i2p) for communication and ran XMRig in the background to send mined cryptocurrency to the attacker.
After a user installs the infected Final Cut Pro app, a process immediately starts to download and set up the malware and the XMRig command-line components. It disguises the mining as a “mdworker_local” process.
Upon downloading the most recent torrent with the highest number of seeders from The Pirate Bay, Jamf found that it contained malware and the uploader was the source of the malware to covertly mine cryptocurrency. It was the same source as the previously reported samples.
Mac users are advised to not to install pirated apps because the new crypto-jacking malware can bypass the security of the latest macOS Ventura update as well.
The researchers note that macOS Ventura can block the malicious app from running. It’s due to the malware leaving the original code signing intact but modifying the application, failing the system security policy.
However, macOS Ventura doesn’t prevent the miner from executing. So, by the time the user receives an error message saying Final Cut Pro is damaged and can’t be opened, the malware has already been installed.