Mac Coinminer Uses New Technique to Hide Its TrafficReport Says Coinminer Masquerades as Legitimate App
Security researchers have spotted a Mac coinminer using personalized open-source apps to augment its malicious routine. A departure from other malwares that use Tor, this effective malware leverages i2pd to hide its network traffic from the untrained eye.
"Coinminers are one of the more profitable types of malware for malicious actors, and they require little maintenance once installed on a victim’s device. The malicious actor can have a coinminer masquerade itself as a legitimate app, trick susceptible users into running it on their systems, and just wait for the profits to roll in," according to Luis Magisa, threat analyst at Trend Micro.
The Trend Micro researchers, in their analysis of a coinminer sample sourced in early January 2022, found that the sample used several open-source components that the malicious actor had modified for their purposes.
The sample analyzed by the researchers used i2pd - aka I2P Daemon - to hide its network traffic, which is a C++ implementation of the i2P client.
An i2P is a universal anonymous network that allows for anonymous end-to-end encrypted communication in which participants need not reveal their IP addresses.
Sharda Tickoo, technical director at Trend Micro India, tells Information Security Media Group that a review of the feedback logs showed that the analyzed sample was not actively spreading in the wild at the moment. But evidence suggests that this malware is under active development, and the actors behind it may have a bigger impact in the future.
The main malware sample detected by the researchers is Coinminer.MacOS.MALXMR.H, a Mach-O file that has been flagged by several vendors since it contains XMRig-related strings that can be easily caught by sourcing tools such as Yara.
XMRig is an open-source, cross-platform command-line app for mining Monero cryptocurrency and is typically used by other malware to perform cryptomining because of its availability and ease of use (see: Malware Opens the Door to XMRig Cryptominer).
"The main Mach-O sample was found to be ad hoc-signed. This means that the Mach-O binary will not easily run on Mac systems and might be blocked by Gatekeeper, which is a built-in security feature for macOS that enforces code signing," the researchers say.
The researchers say they suspect that the Mach-O sample was received through a package in a DMG, an Apple format used to compress installers. This package is used for Adobe Photoshop CC 2019 v20.0.6. But they say they could not source the parent file.
The researchers say that, based on the snippet of code they found in the dropped files, the sample attempted to launch a nonexistent file in the Volume path. This is important, they say, because DMG files are mounted by default in the /Volumes directory when double-tapped on macOS.
"The main Mach-O sample (detected as Coinminer.MacOS.MALXMR.H) was found to contain several embedded Mach-O files. When executed, it leverages the AuthorizationExecuteWithPrivileges API to escalate privileges by prompting the user for credentials," according to the researchers.
The sample dropped the following files into the system:
Trend Micro researchers say the sample used the auth file for persistence. The Mach-O file is responsible for creating the files for the malware’s persistence routine: LaunchDaemons/com.adobe.acc.installer.v1.plist. This file launches com.adobe.acc.installer.v1 on every startup, according to the researchers. It also attempts to launch the nonexistent file Adobe Photoshop CC 2019/Contents/MacOS/.Patch.com.adobe.acc.installer.v1 file for launching binaries.
The Mach-O binary com.adobe.acc.localhost is responsible for the mining routine, the researchers say.
"The file is a modified XMRig command-line app. It can be seen by typing help or version in the parameters when launching the app. The version parameter displays the version of the XMRig binary, and the help parameter displays the list and description of the parameters that can be used."
The researchers cross-examined the sample they downloaded with the XMRig from https://xmrig.com/ and observed a JSON-formatted config file in the com.adobe.acc.localhost binary, which was not present in the other XMRig binaries that the researchers sourced.
The researchers also found the embedded config file, which had mining server: 127.0.0.1:4545; Username: pshp and Password: x. "The mining server address seems invalid since the 127.0.0.1 address is a local host address," the researchers say.
They checked the readable strings in the com.adobe.acc.network Mach-O file and found that it was a modified i2pd app supported by the display from the command-line information displayed when using --version parameter on the sample.
According to the researchers, i2pd is an open-source alternate implementation of I2P that is written in C++ instead of Java. "I2P is an anonymous network layer (implemented as a mix network) that allows for censorship-resistant, peer-to-peer communication. Anonymous connections are achieved by encrypting the user's traffic and sending it through a volunteer-run network of roughly 55,000 computers distributed around the world. I2P can also be seen as an alternative to Tor," they say.
The researchers compared the malware binary with the official binary in the same version and found that the binary was around 10 MB. That made identifying the malware routine challenging, they say.
"Because of this, we focused our attention on the readable strings and codes not found on the official version. We were then able to find the suspicious string and the related code snippet."
They say the XMRig traffic to 127.0.0.1:4545 will be tunneled by i2pd, and the connection can be viewed using the lsof terminal command. "The site can only be accessed through I2P," the researchers say.
Comparison With Older Samples
The researchers say they investigated previous iterations of the malware, which showed its evolution over the past few years. "We can use these findings to create the necessary security measures should this malware continue to evolve and spread in the future," they say.
Similarities between old and new samples included masquerading as Adobe Photoshop or Logic Pro X and using i2pd to access the same i2pd download server.
The download server hosts several files, and some samples use random file names and zero-byte padding to evade detection, the researchers say. Four samples used a persistence routine and one overwrote the Mach-O executable in the installed Adobe Photoshop app.
"All samples were suspected to be packaged in a DMG file since these samples try to launch or copy from /Volumes directory where DMG files are mounted by default," according to the researchers.
Tickoo recommends installing updated products and keeping a tab on the latest patterns. "Avoid installing apps from illegitimate channels and practice good internet hygiene," she tells ISMG.