This discovery presented a rare opportunity to trace the evolution of a malware family. Furthermore, we found that virtually every one of the dozens of uploads that began in 2019 was compromised with a malicious payload to surreptitiously mine cryptocurrency. We observed that the torrent was uploaded by a user with a yearslong track record of uploading pirated macOS software torrents, many of which were among the most widely shared versions for their respective titles:Īfter a thorough analysis of the torrent upload DMGs, we discovered that the uploader was the source of the malware we found and also confirmed it to be the source of the previously reported samples. It matched the hash of the infected Final Cut Pro we had discovered in the wild. We downloaded the most recent torrent with the highest number of seeders and checked the hash of the application executable. In an attempt to pinpoint the source of the malware, we turned to a Pirate Bay mirror and searched for torrents of Final Cut Pro. Given that we were seeing a very similar scenario play out with Final Cut Pro, we also wanted to identify where this malware was coming from. However, they were unable to find the DMG itself. In their report, Trend Micro speculated that the Mach-O sample may have arrived in a DMG package for Adobe Photoshop CC 2019. Despite the similarities, there were still discrepancies and unanswered questions, such as why this particular sample went undetected by all vendors on VirusTotal, even though the malware family had already been documented. While searching for other examples of malware that use i2p routing, we found that the techniques of this sample were similar to those reported by Trend Micro in February 2022. This malware uses i2p to download malicious components and send mined currency to the attacker's wallet. i2p is a private network layer that anonymizes traffic, making it a less noticeable alternative to Tor. This malware makes use of the Invisible Internet Project (i2p) for communication. While cryptojacking itself is not a new concept, this particular variant employs some novel tactics. Given that crypto-mining requires a significant amount of processing power, it is likely that the ongoing advancements in Apple ARM processors will make macOS devices even more attractive targets for cryptojacking. Adware has traditionally been the most widespread type of macOS malware, but cryptojacking, a stealthy and large-scale crypto-mining scheme, is becoming increasingly prevalent.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |