Stemming from several reports from several security researchers, there’s a new cryptominer called The Bird Miner. It targets Apple Mac systems through an ‘Ableton Live 10’ torrent. The music production software costs several hundred US dollars, so many people are on the look for cracked versions that they can download without paying a dime.
However, the dangers that lurk via torrents like this one have been repeatedly documented, and this is another case that underlines them. The approximate size of the downloaded archive is 2.6 GB, and it contains shell scripts that launch daemons that in turn, installs obfuscators, system checkers, anti-snoopers, and a lot more that isn’t part of the Ableton Live 10 suite.
Since cryptomining and cryptojacking malwares need CPU resources to run, it is essential for the malware to hide itself and its activities from the victim. So, the first thing that it does is check whether the Activity Monitor is running or not. If the system tool isn’t running, and if the CPU usage is below 85%, the malware proceeds by running a Qemu instance.
Qemu is an open source operating system virtual box that can load and run OS image files such as .img, .iso, or .dmg. Qemu loads two .dmg images that are a custom version of ‘Tiny Core’ Linux, which then launch ‘xmrig’, the cryptomining tool.
While the researchers first spotted the Bird Miner installers in the pirated Ableton Live 10 torrents, there are now more files infected with it. Users on Reddit report the same type of malware being distributed through the VST Crack website during the last four months, and possibly even longer.
While Bird Miner for Mac tries to hide by running inside Qemu, this is the same element that introduces its operational inefficiency. If it was to run natively instead of being emulated, it would yield more for its masters.
BEST ADVICE?
If you want to stay safe from this type of danger, you can follow the simple practice of not downloading pirated software via torrents.
These sources of professional grade tools are very often infected with dangerous malwares, and they are not worth the risk. If you have to do it no matter what, at least make sure that you’re using an up-to-date antivirus softwares from reputable vendors.
Lastly, run some periodical checks on what is installed on your system, and if you see something that you don’t recognize like the Qemu tool, start digging to find out how it got there.