A new type of malicious software infecting Apple's Macs is mining monero, researchers with cybersecurity firm Malwarebytes announced.
In a blog post Tuesday, the antivirus software developer revealed that an innocuous Mac process called "mshelper" was being abused on infected machines to mine monero for an unknown attacker. Malwarebytes director of Mac and mobile Thomas Reed wrote that along with a combination of other malicious processes, mshelper utilized large amounts of central processing unit (CPU) power, but was "not particularly dangerous" to Macs.
"Affected users saw their fans whirring out of control and a process named 'mshelper' gobbling up CPU time like Cookie Monster. Fortunately, this malware is not very sophisticated and is easy to remove," he wrote, adding:
There are three main components to the malware, he wrote: the dropper, which is a program which downloads the malware; the launcher, which installs and launches the malware; and the miner itself, which is based on XMRig, an open source monero miner.
Malwarebytes has not yet discovered what the dropper program is, but past examples include fake Adobe Flash Player installers and other downloaded software, Reed said.
However, it installs something called "pplauncher," which installs the miner. Notably, it is written in Golang, which Reed says is an odd choice. He added that "using this for what appears to be simple functionality is probably a sign that the person who created it is not particularly familiar with Macs."
His final assessment is that the miner, while annoying, is not complicated, and can be easily removed. He noted that there are an increasing number of Mac cryptominers, saying "
Mac cryptomining malware has been on the rise recently, just as in the Windows world. This malware follows other cryptominers for macOS ... I’d rather be infected with a cryptominer than some other kind of malware, but that doesn’t make it a good thing."
Macbook Pro image via thanmano / Shutterstock
CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk offers all employees above a certain salary threshold, including journalists, stock options in the Bullish group as part of their compensation.