Of late, a hacker group used the pirated version of Final Cut Pro, a video editing software from Apple, to deploy XMRig malware on macOS systems. 

Many trojanized apps have been making rounds in the wild for a long time, however, only a handful of security vendors are able to identify and flag them.

What’s happening?

According to Jamf Threat Labs researchers, malicious apps are being uploaded on Pirate Bay torrents by a user with a years-long track record of uploading pirated macOS software torrents.
  • The latest apps contain XMRig payload which makes use of the Invisible Internet Project (i2p) encrypted with base64 encoding to download malicious components and send mined cryptocurrency to the attacker's wallet.
  • There have been dozens of uploads from 2019 and 2021 that were injected with a malicious payload to surreptitiously mine cryptocurrency.

Modus operandi of the malware

The malware has been operating as an evasive cryptocurrency miner under the radar and has adopted new obfuscation techniques with years of evolution.
  • When the user downloads and double-clicks a pirated app, the trojanized executable runs, and base64 extracts encoded Final Cut Pro executable and i2p executable.
  • The miner executable is pulled from the C2 server and the mining begins.

Evolution through generations

By analyzing the history of all the uploaded torrents, researchers were able to identify three generations of malware.
  • The first-generation malware samples gained elevated privileges to install the Launch Daemon for persistence by using the AuthorizationExecuteWithPrivileges API. The samples changed to a user Launch Agent to avoid a conspicuous password prompt during the persistence process.
  • The second-generation samples had no traditional persistence methods, and they possibly relied on the user launching the application bundle to start the mining process.
  • The third-generation samples mask their malicious i2p components within the application executable using base64 encoding and shell commands.

Additionally, the third-generation pirated Final Cut Pro is significantly larger than a genuine copy, weighing in at 11.9 MB compared to the standard 3.7 MB.

Conclusion

Despite an earlier iteration being a known quantity to the security community, most of the security products from different vendors could not detect malicious applications. Besides, modifications in the new malware variant are minimal yet effective. Users are recommended to avoid downloading pirated software at all costs.
Cyware Publisher

Publisher

Cyware