Many users reported in the past few weeks their Macs have been infected with a new Monero Miner
25.5.2018 securityaffairs Cryptocurrency

In the past weeks, many Mac users have been infected with a new strain of Monero miner, the infections confirm the rise of this kind of malware.
According to researchers at Malwarebytes, many Mac users in the past weeks have been infected with a new strain of Monero miner. The owners of the infected Mac systems noticed the presence of a process named “mshelper” had been consuming a lot of CPU power and draining their batteries.

“The malware became public knowledge in a post on Apple’s discussion forums, where the “mshelper” process was found to be the culprit. Digging deeper, it was discovered that there were a couple other suspicious processes installed as well. We went searching and found copies of these files.” reads the analysis published by MalwareBytes.

“The malware is mining for Monero cryptocurrency. Here’s a breakdown of its components.”

Monero Miner

The Mac malware is likely installed by a fake Adobe Flash Player installers, through the downloading from piracy websites, or bait documents specially crafted to trick victims into opening them.

According to the experts, the launcher, the pplauncher file, is kept active by a launch daemon (com.pplauncher.plist), a circumstance that suggests that the dropper had root privileges. The launcher was developed in Golang, it has a relatively large executable file (3.5 Mb).

“Using Golang introduces significant overhead, resulting in a binary file containing more than 23,000 functions. Using this for what appears to be simple functionality is probably a sign that the person who created it is not particularly familiar with Macs.” continues the analysis published by Malwarebytes.

The launcher creates the miner process mshelper which is installed in the following location:

/tmp/mshelper/mshelper
The miner is an older version of the legitimate and open source mining tool named XMRig.

This malware is not particularly dangerous, but in case the infected system has a problem such as damaged fans or dust-clogged vents it could cause overheating.

“Although the mshelper process is actually a legitimate piece of software being abused, it should still be removed along with the rest of the malware,” concludes Malwarebytes.

“This malware follows other cryptominers for macOS, such as Pwnet, CpuMeaner, and CreativeUpdate. I’d rather be infected with a cryptominer than some other kind of malware, but that doesn’t make it a good thing.”

Users can manually remove the malware by deleting these two files and rebooting their devices:

/Library/LaunchDaemons/com.pplauncher.plist
/Library/Application Support/pplauncher/pplauncher