New Strain of Malware Hijacks Apple Macs to Mine Monero

A monero cryptominer based on XMRig is hijacking Macs, causing high CPU and fan usage.

AccessTimeIconMay 24, 2018 at 4:10 p.m. UTC
Updated Sep 13, 2021 at 7:59 a.m. UTC

A new type of malicious software infecting Apple's Macs is mining monero, researchers with cybersecurity firm Malwarebytes announced.

In a blog post Tuesday, the antivirus software developer revealed that an innocuous Mac process called "mshelper" was being abused on infected machines to mine monero for an unknown attacker. Malwarebytes director of Mac and mobile Thomas Reed wrote that along with a combination of other malicious processes, mshelper utilized large amounts of central processing unit (CPU) power, but was "not particularly dangerous" to Macs.

"Affected users saw their fans whirring out of control and a process named 'mshelper' gobbling up CPU time like Cookie Monster. Fortunately, this malware is not very sophisticated and is easy to remove," he wrote, adding:

"The malware became public knowledge in a post on Apple’s discussion forums, where the “mshelper” process was found to be the culprit. Digging deeper, it was discovered that there were a couple other suspicious processes installed as well. We went searching and found copies of these files."

There are three main components to the malware, he wrote: the dropper, which is a program which downloads the malware; the launcher, which installs and launches the malware; and the miner itself, which is based on XMRig, an open source monero miner.

Malwarebytes has not yet discovered what the dropper program is, but past examples include fake Adobe Flash Player installers and other downloaded software, Reed said.

However, it installs something called "pplauncher," which installs the miner. Notably, it is written in Golang, which Reed says is an odd choice. He added that "using this for what appears to be simple functionality is probably a sign that the person who created it is not particularly familiar with Macs."

His final assessment is that the miner, while annoying, is not complicated, and can be easily removed. He noted that there are an increasing number of Mac cryptominers, saying "

Mac cryptomining malware has been on the rise recently, just as in the Windows world. This malware follows other cryptominers for macOS ... I’d rather be infected with a cryptominer than some other kind of malware, but that doesn’t make it a good thing."

Macbook Pro image via thanmano / Shutterstock

DISCLOSURE

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

Trending

1
CoinDesk - Unknown
Ethereum Lending Protocol XCarnival Hit With $3.8M Exploit, Recovers 50%

The DeFi protocol persuaded a hacker to return $1.9 million from a smart contract exploit.

CoinDesk - Unknown
2
CoinDesk - Unknown
Australian Crypto Exchange Banxa Cuts 70 Staff

The crypto exchange said the "crypto winter" drove such a decision.

CoinDesk - Unknown
3
CoinDesk - Unknown
Nexo Sends Cease and Desist Letter to Anonymous Twitter Account Accusing It of Embezzlement

The Twitter account "@otteroooo" has claimed that crypto lender Nexo embezzled funds from a charity. Nexo says the the account user is intentionally using the name of someone unrelated to Nexo.

CoinDesk - Unknown
4
CoinDesk - Unknown
First Mover Asia: Bitcoin Holds Above $21K in Weekend Trading; Solana Web3 Phone Faces Long Odds

Ether stays over $1,200; prior blockchain phones have failed because the market has realized their functionalities are already available via apps that can be loaded onto any old phone.

CoinDesk - Unknown