Attackers uses pirated software to deliver malware onto Macs
Cybercriminals are now delivering stealthy malware onto Macs using pirated versions of the video editing software Final Cut Pro. This is a concerning trend because it demonstrates how cybercriminals are coming up with new ways to trick users into installing malware on their devices.
Jamf Threat Labs discovered Mac cryptomining malware in pirated copies of Final Cut Pro. According to the company, the cryptojacking malware was particularly well hidden and was not detected by most Mac security apps.
This malware communicates via the Invisible Internet Project (i2p). The i2p protocol is a private network layer that anonymizes traffic, making it a less visible alternative to Tor. This malware downloads malicious components and sends mined currency to the attacker’s wallet via i2p. The torrent was uploaded by a user who has a long history of posting pirated macOS software torrents.
Jamf also warned that the power of Apple Silicon Macs will make them increasingly popular targets for cryptojacking, a practice in which malware uses your machine’s significant processing power to mine cryptocurrencies for the benefit of attackers.
According to Jaron Bradley, Jamf’s macOS detections expert, his company discovered over 400 seeders — or users who have the entire app — who are making it available via torrent to those who want it. The security vendor discovered that the person who originally uploaded the weaponized version of Final Cut Pro for torrent sharing has a long history of uploading pirated macOS software using the same cryptominer. The malware was previously sneaked into pirated macOS versions of Logic Pro and Adobe Photoshop by the threat actor.
“In an attempt to pinpoint the source of the malware, we turned to a Pirate Bay mirror and searched for torrents of Final Cut Pro. We downloaded the most recent torrent with the highest number of seeders and checked the hash of the application executable. It matched the hash of the infected Final Cut Pro we had discovered in the wild. We now had our answer,” Jamf said.
Following a thorough examination of the torrent upload DMGs, it was discovered that the uploader was the source of the malware as well as the source of the previously reported samples.
The sources for this piece include an article in DarkReading.