Go to listing page

OSX.DarthMiner: New Mac malware combines EmPyre backdoor and Monero mining

OSX.DarthMiner: New Mac malware combines EmPyre backdoor and Monero mining
  • The malware is being distributed via the Adobe Zii app.
  • The malware contains a script that is designed to look for the popular firewall Little Snitch.

A new Mac malware dubbed OSX.DarthMiner was recently discovered. The malware combines the EmPyre backdoor and a Monero miner and propagates via the fake version of the Adobe Zii app.

The malware is most likely propagated via the fake Adobe Zii app to make the malware appear legitimate. OSX.DarthMiner also comes embedded with a script that looks for whether the targeted system contains Little Snitch - a popular firewall that alerts the user about the backdoor’s network connections.

“If Little Snitch is present, the malware bails out. Of course, if an outgoing firewall like Little Snitch were installed, it would have already blocked the connection that would have attempted to download this script, so checking at this point is worthless,” Malwarebytes researchers, who discovered OSX.DarthMiner, wrote in a blog.

Modus operandi

  • The script links to the EmPyre backdoor, which is capable of pushing out arbitrary malicious commands to the infected Mac.
  • EmPyre also downloads and executes the to /private/tmp/uploadminer.sh script. This, in turn, downloads and executes the other components of the malware.
  • The malware can not only mine for Monero but also intercept all web traffic.

“On the surface, this malware appears to be fairly harmless. Cryptominers typically only cause the computer to slow down, thanks to a process that sucks up all the CPU/GPU,” Malwarebytes researchers said. “However, this is not just a cryptominer. It’s important to keep in mind that the cryptominer was installed through a command issued by the backdoor, and there may very well have been other arbitrary commands sent to infected Macs by the backdoor in the past.

“It’s impossible to know exactly what damage this malware might have done to infected systems. Just because we have only observed the mining behavior does not mean it hasn’t ever done other things,” Malwarebytes researchers added.

According to Malwarebytes researchers, OSX.DarthMiner, apart from cryptomining, the malware may also likely have stolen files or passwords. OSX.DarthMiner’s existence indicates that cybercriminals are ramping up development and delivery of Mac malware variants.

Cyware Publisher