Toni Dimaano Tech 02.23.2023 21:Feb PM EST

Pirated Final Cut Pro Infects MacOs With Stealth Crypto Mining Malware

A malicious version of Final Cut Pro that often goes unnoticed by antivirus software was used in a crypto mining operation that targeted macOS, according to security researchers.

Bleeping Computer writes that the malicious variant, which mined for the cryptocurrency Monero using the XMRig tool, was disseminated through torrent.

The MacOS Threat Has Evolved

This specific macOS threat was discovered by the Jamf Threat Labs team, traced to malicious torrents published on The Pirate Bay by a user going by the handle wtfisthat34698409672.

Since 2019, it appears that the user has been downloading additional macOS programs with a payload for cryptocurrency mining, including Adobe Photoshop and Logic Pro X.

After a more thorough study, the researchers concluded that the virus had gone through three significant development stages, incorporating incredibly advanced evasion strategies at each stage.

It is notable that current security tools routinely only identify the first generation of the danger, which stopped existing in April 2021.

In order to anonymize traffic for command and control (C2) communications, malware has used an i2p (Invisible Internet Project) network layer since its first generation, Dark Reading says.

The second version of malware, which used base 64 encoding for executables concealed in the app bundle, emerged for a brief period between April 2021 and October 2021.

Beginning in May 2022, the lone variety of the current generation, which debuted in October 2021, was dispersed in the wild.

This variant's new capability allows it to mask its malicious processes on Spotlight as system processes in order to avoid detection.

The most recent version also includes a script that checks for the Activity Monitor on a regular basis, and if it appears, it instantly kills all of its processes to avoid being discovered by the user.

MacOS Is Looking To Deal With Threats Better In The Future

More rigorous code-signing checks introduced in the most recent macOS build, code-named "Ventura," pose a danger to render user-launched apps, particularly pirated ones, useless for hiding and launching malware.

The original code-signing certificate was preserved by the pirates in this instance, who only slightly altered Final Cut Pro.

Ventura, nevertheless, invalidated it since it discovered a change to the software's substance, according to Bleeping Computer.

It is important to note that Apple's new security system still has a ways to go before it can successfully protect users.

This is because it just stopped the lawful application from operating, not the cryptocurrency miner.

Finally, since peer-to-peer networks are virtually always infected with spyware or adware, it is advised against downloading pirated software from them.

According to Dark Reading, there have not been many instances of threat actors including malware in illegal macOS software.

In fact, one of the most recent well-known examples of such an operation occurred in July 2020 when Malwarebytes researchers uncovered a pirated version of the application firewall Little Snitch, including a downloader for macOS ransomware.