On February 23, Jamf Threat Labs, a macOS cybersecurity group of the Jamf IT company, announced the detection of evasive cryptojacking malware attacking the Apple ecosystem. It was found embedded into the cracked version of the professional video-editing app Final Cut Pro, which is mainly distributed by The Pirate Bay.
According to the Jamf team, the infected editor is still available via the torrent with the largest number of seeders. The pirated Logic Pro software for professional music recording might also be infected.
As a rule, cryptojacking does not aim to steal personal information. Neither does it trick victims to pay money to the perpetrators. However, such malware uses a significant amount of hardware resources to mine cryptocurrency, which is then sent to the attacker. The excessive strain put on the system can considerably disrupt the performance of the device and even completely wear it out or burn it due to overheating.
In addition to the risk of losing the device, the victim also has to pay electricity bills.
The malware spread by cracked Final Cut Pro relies on XMRig command-line mining tool, which is commonly by legitimate miners. Still, since this mining software is open-source, hackers can customize it and use it for illegal purposes. This particular version of XMRig can evade detection by stopping its operation as soon as Activity Monitor, an application that monitors ongoing processes in the system, is launched.
Moreover, XMRig communicates via the Invisible Internet Project, the anonymous I2P network that protects the user's location and activities, and transfers the mined cryptocurrency to the perpetrator's wallet.
In its blog post, Jamf Threat Labs warns users of Ventura, the latest macOS version, to stay vigilant despite the system's security improvements that do not allow pirated Final Cut Pro to launch:
"MacOS Ventura did not prevent the miner from executing. By the time the user receives the error message that malware has already been installed. It did prevent the modified version of Final Cut Pro from launching, which could raise suspicion for the user as well as greatly reduce the probability of subsequent launches by the user."
In addition, Jamf security experts have noticed that the README.txt distributed with the infected applications contains the following message:
"If you have issues with image (annoying image/application is damaged messages pretending you cannot open things) run in Terminal: sudo spctl --master-disable."
The team explained that running this command completely disables Gatekeeper, the security feature used to scan downloaded programs. There is no follow-up instruction to re-enable the application.
Installing applications downloaded via torrents has always been associated with the risk of infecting the operating system. Even though using pirated software is illegal in many countries, many people prefer this form of application acquisition because it allows them to avoid licensing costs. As Jamf Threat Labs noted, hackers use this fact to their advantage:
"There is also a psychological component. The user knows they are doing something illegal, and it is not surprising when Apple’s built-in security prevents them from running pirated Apple software. Furthermore, if the user eventually suspects that they may have inadvertently run malware on their work computer, they are far less likely to explain what actions took place to anyone in the Security or IT departments."
Meanwhile, Kaspersky's 2022 research on the state of cryptojacking, based on threat data collected by its security network, found rapid growth in the development of malicious mining software. According to the cybersecurity company, the number of versions of such miners more than tripled within a year, exceeding 150,000 in the third quarter of 2022.
The firm also reported that Ethiopia, which had officially banned cryptocurrencies, had the highest number of cryptojacking victims, while Monero (XRM) was the most popular cryptocurrency mined by hackers.