A new cryptominer, dubbed Bird Miner, has been spotted in the wild targeting Mac devices and running via Linux emulation under the guise of a production software tool.
Malwarebytes researchers described Bird Miner as “somewhat stealthy” due to its instructions to bail out at multiple points if Activity Monitor is running and because of its ability to obfuscate the miner code by hiding it inside Qemu images, according to a June 23 blog post.
It's also worth noting that the malware runs via emulation, when it could easily run as native code and could have had better performance and a smaller footprint as a result.
Researchers found the malware hidden in cracked installer for the high-end music production software Ableton Live, an instrument used for live performances, composing, recording, mixing, and mastering.
The software retails for $749 but a can be downloaded from a piracy website called VST Crack and despite being more than 2.6 GB the program’s size is not unusual for such an app.
Upon closer inspection, researchers spotted clues that gave away signs of something being off, such as the file’s postinstall script that will, among other things, copy some installed files to new locations with randomized names.
In addition, if the program detects the Activity Monitor isn’t running, the malware then goes through a series of CPU usage checks and if the results show the victim’s CPU is running at more than 85 percent, the malware will again unload everything.
If all these checks pass, it loads the daemons for the other two processes which include running two nearly identical scripts that each load a separate executable, an inefficient design which tipped researchers off to the malware author’s competency.
“The fact that the malware runs two separate miners, each running from their own 130 MB Qemu image file, means that the malware consumes far more resources than necessary,” researchers said in the post.
“The fact that Bird Miner was created this way likely indicates that the author probably is familiar with Linux, but is not particularly well-versed in macOS.”
Researchers noted that despite the malware’s attempts to conceal itself on its server, it shoots itself in the foot by quite obviously launching daemons for persistence, and by using shell scripts to kick everything off.
While these actions don’t reveal the intent of the file, it is easy for a savvy user to notice that something suspicious is going on.