A new cryptomining malware operation has utilised a pirated version of Final Cut Pro to target macOS users with malware that could bypass antivirus solutions. Based on reports, the researchers discovered that the malicious strain spreads via torrent and executes the XMRig utility that mines for Monero.
Moreover, the malware operator allegedly created macOS apps such as Logic Pro X and Adobe Photoshop a few years ago. Both apps contained a payload for cryptocurrency mining.
Further investigation showed that the malware had experienced three developmental phases that allowed it to acquire more features and obfuscation techniques. The current security tools within users could only detect the first versions of the threats, but these threats already stopped in April 2021.
The pirated Final Cut Pro includes the latest version of the cryptomining capability developed by the threat actors.
The threat actors who pirated the Final Cut Pro has already created three versions since they started infecting macOS users. In the first gen, the malware utilised an i2p network layer for C2 communications to anonymise their tracks. This feature has stayed with the malware until now.
The second generation of malware made a brief appearance within the cybercriminal scene. It featured several base64 encodings for executables obfuscated in the application bundle.
The current generation appeared in October last year, becoming the only variant that spreads actively in the wild. The unique part of this third variant is that it could mimic its malicious processes as system processes to bypass security.
Furthermore, the late version includes a script that regularly checks for the Activity Monitor. It could also terminate all processes to remain hidden from the target’s inspection after deployment.
On the other hand, macOS devs introduced a more stringent code-signing checking feature called Ventura. Hence, the cracked Final Cut Pro operators partially completed their operation because of the new code-signing tool since it invalidated the pirated apps because it had a modification within its content.
Unfortunately, Ventura has only prevented the legitimate app from operating, not the crypto miner. Therefore, Apple’s new security system should still employ further improvements to strengthen its defences against such a tactic.
