Experts from Malwarebytes discovered a new piece of Mac malware, tracked as DarthMiner, that is the combination of two open source tools.
The malware is distributed through Adobe Zii, an application supposedly helps in the piracy of various Adobe programs. In this case, attackers used a fake Adobe Zii software that was definitely not the real thing.
“Earlier this week, we discovered a new piece of Mac malware that is combining two different open-source tools—the EmPyre backdoor and the XMRig cryptominer—for the purpose of evil.” reads the analysis published by MalwareBytes.
“The malware was being distributed through an application named Adobe Zii.”
The fake Adobe Zii application was developed to run a shell script that downloads and executes a Python script, and then downloads and runs an app named sample.
The Python script looks for the presence of Little Snitch, a commonly-used outgoing firewall, and halt the infection process if it is present.
Then the script opens a connection to an EmPyre backend that send arbitrary commands to a compromised Mac. Next, the backdoor downloads a script that fetches and installs the other components of the malware. The malware creates a launch agent named com.proxy.initialize.plist that keeps the
The malicious code also installs the XMRig cryptominer and creates a launch agent
The analysis of the code revealed another interesting feature, the code to download and install a root certificate for the
“Interestingly, there’s code in that script to download and install a root certificate associated with the
Further details, including Indicators of Compromise (IoCs), are reported in the analysis,
“Please, in the future, do yourself a favor and don’t pirate software. The costs can be far higher than purchasing the software you’re trying to get for free,” Malwarebytes concludes.
(Security Affairs – Mac malware, backdoor)