Researchers last week detected a fake Adobe piracy app that infects Mac users with a one-two combination of the EmPyre backdoor/post-exploitation agent and the XMRig cryptominer.
The app pretends to be Adobe Zii, a software program that facilitates the cracking and digital piracy of Adobe products, reports Thomas Reed, director of Mac and mobile at Malwarebytes, in a Dec. 7 company blog post.
While it actually does run a version of Zii as a ruse to disguise its malicious activity, the fake app is in reality a malicious shell script that Malwarebytes has aptly named OSX.DarthMiner -- a moniker that certainly fits its true, evil intentions. (Search your feelings. You know it to be true, as Anakin would say.)
The shell script executes an obfuscated Python script, which in turn sets the stage for EmPyre and XMRig, both of which are open-source programs.
After initially checking for the application firewall Little Snitch (with the intention of cancelling itself if it's found), the Python script "opens up a connection to an EmPyre backend, which is capable of pushing arbitrary commands to the infected Mac," Reed states in his report. Such commands ultimately result in the downloading of XMRig, plus a config file, into the /Users/Shared/ folder.
Reed warns that it's possible the EmPyre backdoor could also be used to install additional malware programs that could, for instance, exfiltrate files or steal passwords. Moreover, Malwarebytes discovered code in the script that's capable of downloading and installing "a root certificate associated with the mitmproxy software, which is software capable of intercepting all web traffic, including...encrypted https traffic. However, that code was commented out, indicating it was not active."
