Virus & Malware

Macs Infected With New Monero-Mining Malware

Many Mac users reported in the past few weeks that a process named "mshelper" had been eating up a lot of CPU power and draining their batteries. It turns out that the process is associated with a piece of malware designed to mine for Monero (XMR) cryptocurrency. Researchers at Malwarebytes have analyzed the mshelper malware and while they haven't been able to precisely determine how it's distributed, they believe fake Flash Player installers, malicious documents or pirated software are likely involved rather than some other, more sophisticated, method.

Experts noticed that the launcher, a file named pplauncher, is kept active by a launch daemon (com.pplauncher.plist), which suggests that the dropper likely had root privileges on the compromised system. The launcher was developed in Golang and it's relatively large (3.5 Mb). "Using Golang introduces significant overhead, resulting in a binary file containing more than 23,000 functions.

Using this for what appears to be simple functionality is probably a sign that the person who created it is not particularly familiar with Macs," explained Malwarebytes' Thomas Reed. Once the launcher creates the mshelper process, the compromised device starts mining for Monero cryptocurrency on behalf of the cybercriminals who distribute the malware. The miner itself is a legitimate and open source mining tool named XMRig.

"This malware is not particularly dangerous, unless your Mac has a problem like damaged fans or dust-clogged vents that could cause overheating. Although the mshelper process is actually a legitimate piece of software being abused, it should still be removed along with the rest of the malware," Reed said. Based on reports from victims, anti-malware products initially either did not detect the threat at all or they could not completely remove the infection - the malware reappeared after a reboot.

Now that news of the malware has spread, security companies have likely updated their products to ensure complete removal. Alternatively, users can manually remove the malware by deleting these two files and rebooting their devices: /Library/LaunchDaemons/com.pplauncher.plist

/Library/Application Support/pplauncher/pplauncher This is not the only cryptocurrency miner delivered recently to Mac users. In February, Malwarebytes reported that a Monero miner had been delivered through malicious versions of applications available through the MacUpdate website.

Related: Supply Chain Attack Spreads macOS RAT

Related: Avoid Becoming a Crypto-Mining Bot - Where to Look for Mining Malware and How to Respond

Macs Infected With New Monero-Mining Malware

Many Mac users reported in the past few weeks that a process named “mshelper” had been eating up a lot of CPU power and draining their batteries. It turns out that the process is associated with a piece of malware designed to mine for Monero (XMR) cryptocurrency. Researchers at Malwarebytes have analyzed the mshelper malware and while they haven’t been able to precisely determine how it’s distributed, they believe fake Flash Player installers, malicious documents or pirated software are likely involved rather than some other, more sophisticated, method.

Experts noticed that the launcher, a file named pplauncher, is kept active by a launch daemon (com.pplauncher.plist), which suggests that the dropper likely had root privileges on the compromised system. The launcher was developed in Golang and it’s relatively large (3.5 Mb). “Using Golang introduces significant overhead, resulting in a binary file containing more than 23,000 functions.

Using this for what appears to be simple functionality is probably a sign that the person who created it is not particularly familiar with Macs,” explained Malwarebytes’ Thomas Reed. Once the launcher creates the mshelper process, the compromised device starts mining for Monero cryptocurrency on behalf of the cybercriminals who distribute the malware. The miner itself is a legitimate and open source mining tool named XMRig.

“This malware is not particularly dangerous, unless your Mac has a problem like damaged fans or dust-clogged vents that could cause overheating. Although the mshelper process is actually a legitimate piece of software being abused, it should still be removed along with the rest of the malware,” Reed said. Based on reports from victims, anti-malware products initially either did not detect the threat at all or they could not completely remove the infection – the malware reappeared after a reboot.

Now that news of the malware has spread, security companies have likely updated their products to ensure complete removal. Alternatively, users can manually remove the malware by deleting these two files and rebooting their devices: /Library/LaunchDaemons/com.pplauncher.plist

/Library/Application Support/pplauncher/pplauncher This is not the only cryptocurrency miner delivered recently to Mac users. In February, Malwarebytes reported that a Monero miner had been delivered through malicious versions of applications available through the MacUpdate website.

Related: Supply Chain Attack Spreads macOS RAT

Related: Avoid Becoming a Crypto-Mining Bot – Where to Look for Mining Malware and How to Respond

Hackers Behind 'Triton' Malware Attack Expand Targets

The threat group responsible for the recently uncovered attack involving a piece of malware known as Triton, Trisis and HatMan is still active, targeting organizations worldwide and safety systems other than Schneider Electric's Triconex. The actor, which industrial cybersecurity firm Dragos tracks as Xenotime, is believed to have been around since at least 2014, but its activities were only discovered in 2017 after it targeted a critical infrastructure organization in the Middle East. The attack that led to the cybersecurity industry uncovering Xenotime was reportedly aimed at an oil and gas plant in Saudi Arabia.

It specifically targeted Schneider Electric's Triconex safety instrumented systems (SIS) through a zero-day vulnerability. The targeted organization launched an investigation and called in third-party experts, including Dragos and FireEye, after the SIS caused some industrial systems to unexpectedly shut down. Researchers believe the shutdown was caused by the attackers by accident.

Dragos continues to analyze the initial Triton/Trisis incident and more recent attacks launched by Xenotime. The company says the group has targeted organizations globally, far outside the Middle East. The security firm has not shared any details on present attacks, but it did note that the hackers are active in multiple facilities, targeting safety controllers other than Triconex.

Some researchers believe Iran is behind the attacks, but Dragos has not shared any information on attribution. The company did point out that it has not found any links between Xenotime and other known groups. "Dragos assesses with moderate confidence that Xenotime intends to establish required access and capability to cause a potential future disruptive or even destructive event," the company wrote in a blog post. "Compromising safety systems provides little value outside of disrupting operations.

The group created a custom malware framework and tailormade credential gathering tools, but an apparent misconfiguration prevented the attack from executing properly. As Xenotime matures, it is less likely that the group will make this mistake in the future." Dragos has been tracking the activities of several threat actors that target industrial control systems (ICS).

The company has published brief reports for three of the seven hacker groups it monitors, including the Russia-linked Allanite, which targets electric utilities in the US and UK, and Iran-linked Chrysene, which has attacked ICS networks in the Middle East and the UK.