Jamf Threat Labs has discovered that Trojanized versions of legitimate applications are being used to deploy evasive cryptocurrency mining malware on macOS systems.
The malware, called XMRig coin miner, is executed by an unauthorized modification in Final Cut Pro, an Apple video editing software.
The malware makes use of the Invisible Internet Project (i2p) to download malicious components and send mined currency to the attacker’s wallet. The source of the crypto-jacking apps can be traced to Pirate Bay, with the earliest uploads dating all the way back to 2019.
The result is the discovery of three generations of the malware, observed first in August 2019, April 2021, and October 2021, respectively, that chart the evolution of the campaign’s sophistication and stealth.
Apple has taken steps to combat such abuse by subjecting notarized apps to more stringent Gatekeeper checks in macOS Ventura, thereby preventing tampered apps from being launched. Jamf researchers have noted that while macOS Ventura prevents the modified version of Final Cut Pro from launching, it did not prevent the miner from executing.
The malware’s ability to fly under the radar, coupled with the fact that users running cracked software are willingly doing something illegal, has made the distribution vector a highly effective one for many years.