Search This Blog

Powered by Blogger.

Blog Archive

Labels

Mac Coinminer Employs a Novel Approach to Mask Its Traffic

The Mach-O sample is suspected to have arrived in a DMG file of Adobe Photoshop.

 

A Mac coinminer has been discovered exploiting customizable open-source software to enhance its malicious activity. This sample incorporates a variety of altered open-source elements which the malicious actor customized to fulfill the agenda. The sample was indeed discovered concealing its network traffic with i2pd (called I2P Daemon). The Invisible Internet Protocol, or I2P client, is constructed in C++ by I2pd. I2P is a worldwide anonymous network layer which enables anonymous end-to-end encrypted communication without revealing the participants' real IP addresses. 

Coinminer is the major malware sample which has been found. MacOS. MALXMR.H is a Mach-O file which was also identified by numerous vendors because it includes XMRig-related strings as sourcing tools like Yara. Its accessibility makes, XMRig to be often utilized by other viruses to execute crypto mining. 

The primary Mach-O sample was discovered to be ad hoc-signed. This indicates the Mach-O binary is difficult to run on Mac systems, and Gatekeeper, a built-in security mechanism for macOS which enforces code signing, may prohibit it. 

The Mach-O sample is suspected to have arrived in a DMG (an Apple image format for compressing installations) of Adobe Photoshop CC 2019 v20.0.6. Apparently, the parent file could not be located. The piece of code was identified in one of its discarded files, which led to the conclusion. The sample attempts to create a non-existent file in the /Volumes path in this code. It's worth noting when double-tapping DMG files on macOS, they get automatically mounted in the /Volumes directory. 

Several embedded Mach-O files were discovered in the core Mach-O sample (detected as Coinminer.MacOS.MALXMR.H). It uses the API to elevate rights by enabling the user for authentication when it is performed. The following files have been deposited into the system by the sample:
  •  /tmp/lauth /usr/local/bin/com.adobe.acc.localhost
  •  /usr/local/bin/com.adobe.acc.network
  •  /usr/local/bin/com.adobe.acc.installer.v1 

As per Trend Micro, the sample used the auth file for persistence. The Mach-O file is in charge of creating the persistence files for the malware:
LaunchDaemons/com.adobe.acc.installer.v1.plist. 

"The file is an XMRig command-line app which has been modified. When launching the app, enter help or version in the variables to see what it's about. The help argument displays a list and overview of the parameters which can be utilized, whereas the version parameter reveals the version of the XMRig binary," according to the experts.

It is suggested to update the products and keep up with the latest patterns. Users should avoid downloading apps from shady websites and exercise excellent digital hygiene.
Share it:

Adobe Photoshop

API

cryptomining malware

Mac Malware

malware

Open Source Software

XMRig