A number of Mac users reported experiencing an increase in CPU activity and battery use, depleting power reserves faster than usual. Researchers associated the battery drain to a persistent cryptocurrency miner called mshelper (Detection name: COINMINER_TOOLXMR.A-OSX) that provided it with root privileges.
While infection is believed to have come from downloads of fake Flash player installers, malicious documents or software rather than sophisticated means, researchers found that the launcher daemon pplauncher (Detection name: COINMINER_MALXMR.A-OSX) kept the malware active, suggesting the dropper had root privileges in the infected system. When analyzed, the 3.5MB launcher contained a binary file of more than 23,000 functions. The large overhead suggests its developer may not be specifically familiar with Macs.
The launcher creates the mshelper process file, mining Monero cryptocurrency for the cybercriminals with the legitimate open source mining tool XMRig. Mshelper is a mining software that threat actors abuse; it should be removed, as the malware can cause overheating for units with damaged fans or vents.
This is not the first time Mac users were targeted for cryptocurrency mining malware, as cybercriminals previously packaged a crypto-miner backdoor via a MacUpdate. Further, the growing popularity of cryptocurrency among cybercriminals is bound to encourage more deployments of malware infection on systems for mining purposes. Here are a few steps to protect your systems from being infected:
Trend Micro Antivirus for Mac and Maximum Security helps defend against web threats and malicious files, secures your transactions, and provides equal security to all your devices. Trend Micro solutions prevent malicious software attacks, allow you to browse and play safely, and comes with easy-to-understand status reports.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.