De acordo com os investigadores do Malwarebytes, muitos utilizadores Mac foram infetados com um miner do Monero nestas últimas semanas. Os proprietários dos sistemas Mac infetados notaram que a presença de um processo chamado “mshelper” consumia muita energia do CPU e descarregava rapidamente as baterias dos seus PCs.
“The malware became public knowledge in a post on Apple’s discussion forums, where the “mshelper” process was found to be the culprit. Digging deeper, it was discovered that there were a couple other suspicious processes installed as well. We went searching and found copies of these files.” reads the analysis published by MalwareBytes.
The malware is mining for Monero cryptocurrency. Here’s a breakdown of its components.”
O malware é provavelmente instalado através de instaladores falsos do Adobe Flash Player, através do download desse instalador em websites ilegítimos, ou documentos de isca especialmente criados para enganar as vítimas.
De acordo com os investigadores, o launcher, o arquivo pplauncher, é mantido ativo via um daemon de inicialização (com.pplauncher.plist), uma circunstância que sugere que o dropper tinha privilégios root. O launcher foi desenvolvido em Golang, e tem um arquivo executável relativamente grande (3.5 Mb).
“Using Golang introduces significant overhead, resulting in a binary file containing more than 23,000 functions. Using this for what appears to be simple functionality is probably a sign that the person who created it is not particularly familiar with Macs.” continues the analysis published by Malwarebytes.
O launcher cria o processo miner mshelper que é instalado no seguinte local:
O miner presenta uma versão antiga do XMRig — uma ferramenta open-source para mining.
“Although the mshelper process is actually a legitimate piece of software being abused, it should still be removed along with the rest of the malware,” concludes Malwarebytes.
“This malware follows other cryptominers for macOS, such as Pwnet, CpuMeaner, and CreativeUpdate. I’d rather be infected with a cryptominer than some other kind of malware, but that doesn’t make it a good thing.”
How to fix
Users can manually remove the malware by deleting these two files and rebooting their devices:
- /Library/Application Support/pplauncher/pplauncher
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.