This Tuesday, the antivirus software developer in his blog reported that the mshelper process in Mac OS can be used to secretly mine Monero. Malwarebytes’ director of Mac and mobile applications, Thomas Reid, wrote that malicious processes are CPU intensive, although “not particularly dangerous for the Mac.” He clarified:
Users found that their fans were out of control and were buzzing with might and main, and a process called mshelper was draining CPU power. Fortunately, this malware is not very sophisticated and easy to remove. The information about the malware has become publicly available through posts on the Apple forums. There, it turned out that the matter was in the mshelper process. In addition, several other suspicious processes were detected and we found copies of these files.
He also explained that a malicious program has three main components: a dropper – a program that installs a virus into the system; a launcher that installs and launches malware; and the open source Monero miner itself based on XMRig.
So far, Malwarebytes researchers haven’t discovered the dropper itself, but Reed says he has dealt with fake Adobe Flash Player installers and other downloaded software in the past.
Reed also warns that the installation of the miner may be accompanied by the launch of a pplauncher process written in the Go language. This is, according to Reed, an odd choice, indicating that the program’s creator is “not very familiar with the Mac.”
Overall, Reed noted that the number of malicious Mac mining scripts is on the rise. He also said:
It is better to get infected with cryptocurrency miners than any other type of malicious software, although this does not make such miners a good thing.
As a reminder, the University of Toronto’s Citizen Lab claims that Internet users in Turkey and Syria who have downloaded Windows applications such as Avast Antivirus, CCleaner, Opera, or 7-Zip, have undergone exposure to malware that secretly mined cryptocurrency.