Experts from Malwarebytes discovered a new piece of Mac malware, tracked as DarthMiner, that is the combination of two open source tools.
The malware is distributed through Adobe Zii, an application supposedly helps in the piracy of various Adobe programs. In this case, attackers used a fake Adobe Zii software that was definitely not the real thing.
“Earlier this week, we discovered a new piece of Mac malware that is combining two different open-source tools—the EmPyre backdoor and the XMRig cryptominer—for the purpose of evil.” reads the analysis published by MalwareBytes.
“The malware was being distributed through an application named Adobe Zii.”
The fake Adobe Zii application was developed to run a shell script that downloads and executes a Python script, and then downloads and runs an app named sample.
The Python script looks for the presence of Little Snitch, a commonly-used outgoing firewall, and halt the infection process if it is present.
Then the script opens a connection to an EmPyre backend that send arbitrary commands to a compromised Mac. Next, the backdoor downloads a script that fetches and installs the other components of the malware. The malware creates a launch agent named com.proxy.initialize.plist that keeps the
The malicious code also installs the XMRig cryptominer and creates a launch agent
The analysis of the code revealed another interesting feature, the code to download and install a root certificate for the
“Interestingly, there’s code in that script to download and install a root certificate associated with the
Further details, including Indicators of Compromise (IoCs), are reported in the analysis,
“Please, in the future, do yourself a favor and don’t pirate software. The costs can be far higher than purchasing the software you’re trying to get for free,” Malwarebytes concludes.
(Security Affairs – Mac malware, backdoor)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.