Cryptomining Malware Hits Mac Users

It’s high time organizations as well as individual users see malware mining as something really serious. As of now, there are many organizations and a vast majority of individual users, who don’t see it as a big menace.

There are reports of a new cryptomining malware that is said to have infected a number of Mac users. Mac systems, that have been targeted by this cryptojacking activity, have been used to harvest Monero, a cryptocurrency. Researchers who investigated this have come to the inference that it’s a process called “mshelper” operating inside the Mac that has been exploited in several affected machines.

Thomas Reed, director of Mac and Mobile at Malwarebytes (Reed also calls himself a “Self-trained Apple security expert”), has written a blog post about this cryptomining malware. His blog post says- “A new Mac cryptominer was discovered this week, after affected users saw their fans whirring out of control and a process named “mshelper” gobbling up CPU time like Cookie Monster. Fortunately, this malware is not very sophisticated and is easy to remove.”

It was a post on Apple’s discussion forums that brought this cryptomining malware to public knowledge. The Malwarebytes blog post says- “The malware became public knowledge in a post on Apple’s discussion forums, where the “mshelper” process was found to be the culprit. Digging deeper, it was discovered that there were a couple other suspicious processes installed as well. We went searching and found copies of these files.”

The blog, which states that the malware does mining for the Monero cryptocurrency, also gives a breakdown of the three components of the malware. The first component is the dropper, the program that downloads the miner. However, the dropper for this malware still remains unknown. The blog post says- “Often, Mac malware is installed by things like fake Adobe Flash Player installers, downloads from piracy sites, decoy documents users are tricked into opening, and other such things…In this case, the dropper is still unknown, but we do not believe it’s anything sophisticated. Everything else about this malware suggests simplicity.”

The second component is the launcher, which installs and launches the malware. The third component is the miner itself, which is based on XMRig, an open source Monero harvester.

Thomas Reed says- “This malware is not particularly dangerous, unless your Mac has a problem like damaged fans or dust-clogged vents that could cause overheating. Although the mshelper process is actually a legitimate piece of software being abused, it should still be removed along with the rest of the malware.”

Reed observes that Mac cryptomining malware has recently been showing a rising trend, like those in Windows. He concludes his post in a very interesting manner; he says- “Mac cryptomining malware has been on the rise recently, just as in the Windows world. This malware follows other cryptominers for macOS, such as Pwnet, CpuMeaner, and CreativeUpdate. I’d rather be infected with a cryptominer than some other kind of malware, but that doesn’t make it a good thing.”