Also contains a disabled encrypted traffic sniffer module

Dec 7, 2018 20:37 GMT  ·  By

A slightly weird malware strain has been observed using the open source XMRig cryptominer and EmPyre backdoor utilities to target software pirates as reported by Malwarebytes Labs.

The OSX.DarthMiner malware was designed to emulate the Adobe Zii tool used to pirate various Adobe apps, although it failed to also copy its icon instead bundling an Automator applet icon that stands out, potentially breaking the "illusion."

Although the malware contains code that might potentially intercept encrypted traffic with the help of a mitmproxy root certificate, the OSX.DarthMiner authors commented it out, deciding to only use it as a dropper for the Python-based EmPyre backdoor.

In the next step of the infection, after the backdoor script capable of running arbitrary commands is downloaded and launched on the compromised system, the malware makes sure that it gains persistence between reboots with the help of a launch agent named com.proxy.initialize.plist.

Next, the XMRig cryptominer together with a configuration file is downloaded into the /Users/Shared/ folder and a new launch agent dubbed com.apple.rig.plist is set up to make sure the cryptominer will always use the malware's authors mining configuration.

DarthMiner could also have other malware-like behavior besides cryptomining

Even though the OSX.DarthMiner malware seems to be harmless at first sight given that malicious cryptominers will at most slow down the victim's Mac by sucking up all CPU and GPU resources, there's more to it than meets the eye.

"It’s important to keep in mind that the cryptominer was installed through a command issued by the backdoor, and there may very well have been other arbitrary commands sent to infected Macs by the backdoor in the past," added Malwarebytes' Thomas Reed.

Furthermore, "It’s impossible to know exactly what damage this malware might have done to infected systems. Just because we have only observed the mining behavior does not mean it hasn’t ever done other things."

Among the malicious tasks OSX.DarthMiner could allow the bad actors to run in the background secretly, data collection and exfiltration is probably the least dangerous.

Some would say that software pirates are probably the most deserving targets when it comes to malware attacks and we also tend to agree. After all, when karma hits, it hits hard.