![]() ![]() Over the last few months, much has changed in Mac security. Apart from those Apple engineers still working hard to get Ventura and other new operating systems ready for release in the autumn/fall, all goes quiet. Malwarebytes for Mac detects this malware as ’s now the ‘silly season’ in the northern hemisphere, that period of a month or more when most people are away from the office. Like a railing on a bridge, antivirus software can protect you, but it's much less effective if you're actively jumping the rail and engaging in risky behavior. If you're engaging in piracy, you're likely to get infected, even with antivirus software installed. Obviously, this malware provides a solid example of why piracy is not a good idea. Although this method does obfuscate the miner itself, which could help the malware evade detection, that benefit is countered by reliance on shell scripts and the heavy footprint of running not one but two miners simultaneously in emulation. The fact that Bird Miner was created this way likely indicates that the author probably is familiar with Linux, but is not particularly well-versed in macOS. Further, the fact that the malware runs two separate miners, each running from their own 130 MB Qemu image file, means that the malware consumes far more resources than necessary. This would have given the malware better performance and a smaller footprint. More interesting is the fact that the malware runs via emulation, when it could easily have run as native code. These things don't reveal the intent of the malware, but it's pretty easy for a savvy user to notice that something suspicious is going on. However, it also shoots itself in the foot, stealth-wise, by using quite obvious launch daemons for persistence, and by using shell scripts to kick everything off. Implicationsīird Miner malware is somewhat stealthy, as it will bail out at multiple points if Activity Monitor is running, and it effectively obfuscates the miner code by hiding it inside Qemu images. Sure enough, a couple older installers were found on VirusTotal that used the same technique, but did not yet use random file names. However, a Reddit thread on piracy discussing the safety of the VST Crack site revealed that this site has been distributing this malware in some form for at least four months, probably longer. All such installers will drop the same malware, though the exact install process may vary slightly. Since then, we've found additional installers for Bird Miner, all distributed through the same site for other software. The malware was first spotted in a pirated Ableton Live 10 installer. However, Bird Miner is an interesting case, as the copy of xmrig being used here is a Linux executable run in emulation via Qemu. The xmrig software has been abused multiple times recently by Mac cryptominers, such as DarthMiner. ![]() As soon as the system shown in the screenshot above asks for the "box login," the miner is already running. Thus, as soon as the Tiny Core system boots up, xmrig launches without ever needing a user to log in. mnt/sda1/tools/bin/ccommand 2>
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |