Darthminer is a recently discovered threat that targets Mac systems via Adobe. Malwarebytes security researches warn that the threat is actually a combination of two open-source programs.
The threat is distributed through an application called Adobe Zii. It utilizes a generic Automater applet icon instead of a stolen Adobe Creative Cloud logo. The fake application runs a shell script that downloads and executes a Python script. Then it downloads and runs an app named sample.app. The sample.app appears to be a version of Adobe Zii in an effort to conceal its malicious activity.
Malwarebytes states that “the obfuscated Python script looks for the presence of Little Snitch, a commonly-used outgoing firewall, and stops the infection process if the tool is found.” They also note that the firewall should have already blocked the script’s download attempts.
Next, the script generates an EmPyre backend door that can execute arbitrary commands on the infected Mac. Scripts are fetched via that backdoor, and other malicious malware components are installed. It is this backdoor that is the true concern. Further, a launch agent ensures persistence. As if that weren’t enough, the attack also results in the XMRig cryptominer being installed on the compromised Mac with its own launch agent to keep the process running.
“It’s impossible to know exactly what damage this malware might have done to infected systems. Just because we have only observed the mining behavior does not mean it hasn’t ever done other things,” Malwarebytes notes. Further analysis of the script also revealed code to download and install a root certificate for the mitmproxy tool. The tool can intercept web traffic, including encrypted traffic, however, it isn’t active in the observed malware.
A key issue surrounding this threat is software piracy, which will compound Mac infections if the threat is copied and distributed along with the software. Malwarebytes implored people to forego downloading and using pirated software, pointing out that it could cost users more than buying legitimate software. Security awareness training can also prevent many computer and system infection. Learn more about it here.