Over time, cryptocurrency mining becomes an increasingly expensive process, and some criminals find ways to get “coins” using other people’s resources. For example, by “planting” relevant software in pirated versions of programs, which allows you to use other people’s PC (or other devices) resources for mining. And this time it happened with Final Cut Pro.
It’s hard to find a video editor who hasn’t heard of Final Cut Pro. In one of the most popular programs for non-linear video editing from Apple, a “malware” was found that allows mining in the background, perfectly bypasses antivirus security and hides from the user.
Jamf Threat Labs reported this:
Over the past few months Jamf Threat Labs has been following a family of malware that resurfaced and has been operating undetected, despite an earlier iteration being a known quantity to the security community.
During routine monitoring of our threat detections in the wild, we encountered an alert indicating XMRig usage, a command-line crypto-mining tool. While XMRig is commonly used for legitimate purposes, its adaptable, open-source design has also made it a popular choice for malicious actors.
This particular instance was of interest to us as it was executed under the guise of the Apple-developed video editing software, Final Cut Pro. Further investigation revealed that this malicious version of Final Cut Pro contained a modification unauthorized by Apple that was executing XMRig in the background.
At the time of our discovery, this particular sample was not detected as malicious by any security vendors on VirusTotal. Since January 2023, a handful of vendors have detected the malware. However, many of the malicious applications continue to go unidentified by most vendors.
And such a “gift” was hidden in the distribution of a well-known “supplier” on the Pirate Bay, which also offers Photoshop and Logic Pro.
According to Jamf Threat Labs, this is the third version of such a mining malware. The first obtained the necessary rights through the Launch Daemon, which required a user password. The second one used Launch Agent, but it only worked when the infected program was also running. The third went much further:
When the user double-clicks the Final Cut Pro icon, the trojanized executable runs, kicking off the shell calls to orchestrate the malware setup. Contained within the same executable are two large base64 blobs that are decoded via shell calls. Decoding both of these blobs results in two corresponding tar archives.
One contains a working copy of Final Cut Pro. The other base64 encoded blob decodes to a customized executable responsible for handling the encrypted i2p traffic. Once the embedded data has been decoded from base64 and unarchived, the resulting components are written to the /private/tmp/ directory as hidden files.
After executing the i2p executable, the setup script uses curl over i2p to connect to the malicious author’s web server and download the XMRig command line components that perform the covert mining. The version of Final Cut Pro that is launched and presented to the user is called from this directory and eventually removed from the disk.
The mining malware also checks every three seconds whether the Activity Monitor is running. As soon as it sees its launch, it stops all “illegal” processes. What’s more, it also renames the processes to those performed by Spotlight (search in macOS), which should not cause suspicion to the user if they see them. And with the next launch of the infected program, mining will start again.
Apple also commented on this case:
We continue to update XProtect to block this malware, including the specific variants cited in JAMF’s research. Additionally, this malware family does not bypass Gatekeeper protections.
The Mac App Store provides the safest place to get software for the Mac. For software downloaded outside the Mac App Store, Apple uses industry-leading technical mechanisms, such as the Apple notary service and XProtect, to protect users by detecting malware and blocking it so it can’t run..
Protection in macOS Ventura has been significantly improved, because Gatekeeper checks the software not only at the first launch, but also after it. But there have already been versions of Photoshop that bypassed this too.
According to Jamf, such cases should be expected more and more, because the performance of Macs with Apple Silicon makes these computers a treat for cryptominers.