Cryptojacking Malware Found Mining Monero Secretly on Apple Macs

This entire week we covered stories related to hacking of major cryptocurrency networks, and now one more similar news has come out in the weekend (though not that of any other coin network being compromised). A cryptojacking malware is making the life difficult for Apple Mac users, which has resulted in many of them unwittingly mining privacy coin Monero for benefit of someone else.

The issue came to public knowledge when many of these affected users gathered on Apple forums to discuss over it. Malwarebytes Labs also published a blog post about it recently, in which it said that the software was discovered when a Mac user observed that a particular process named “mshelper” was consuming unnecessarily large amount of CPU power most of the time. It used to appear at high levels in CPU section of Activity Monitor. The thing that it was a malware became clear when user tried installing BitDefender – the “mshelper” process deleted it. User also tried installing Malwarebytes to fix this issue, but that also didn’t help.

Advertisement

One of the readers at Apple forums suggested using EtreCheck to remove the malware, which quickly recognized “mshelper” and removed it. However, that’s not the end of story.

Malwarebytes Labs said in its blog post that there were some other suspicious processes also installed in the affected Mac. One of them was possibly the “dropper” of malware, which might’ve installed this “mshelper” program. Mac malware is often installed by one of the following 3 ways:

  • Decoy documents that users execute mistakenly;
  • Downloading from piracy sites, and;
  • False Flash Player installers.

Which of these methods might’ve brought the dropper to affected Mac is unclear. Plus, the dropper for this malware still remains unknown. As long as it’s in its place, it can re-install the removed malware.

In its blog post Malwarebytes has also highlighted a file called “pplauncher” in following location:

~/Library/Application Support/pplauncher/pplauncher

The sole purpose of this file, according to Malwarebytes, seems to install and start the miner process. This file keeps running by itself through a launch daemon, which suggests that dropper of this malware has root privileges. The 3.5mb file has been written in Golang and then compiled for MacOS, which causes an overhead of around 23,000 tasks. This suggests that the developer of this malware doesn’t have too much knowledge of Mac devices.

The researchers of Malwarebytes Labs suggest in their post that the malware itself isn’t harmful, unless the fans of your Mac are damaged and air vents clogged to cause the issue of overheating. However, despite that it’s important to remove it like any malware. Hopefully Malwarebytes will find some way to remove it entirely, as they’ve said that this doesn’t seem too much of a complicated mess to remove.

We’ll share with you more updates on this story as soon as they come out. In the meantime if you own a Mac don’t forget to check it for this “mshelper” process – if it’s consuming unnecessarily large amount of CPU power, remove it using EtreCheck.

Be the first to comment

Leave a Reply

Your email address will not be published.


*