Threat Management, Threat Management, Vulnerability Management

New Mac malware ‘DarthMiner’ joins the dark side

Researchers last week detected a fake Adobe piracy app that infects Mac users with a one-two combination of the EmPyre backdoor/post-exploitation agent and the XMRig cryptominer.

The app pretends to be Adobe Zii, a software program that facilitates the cracking and digital piracy of Adobe products, reports Thomas Reed, director of Mac and mobile at Malwarebytes, in a Dec. 7 company blog post.

While it actually does run a version of Zii as a ruse to disguise its malicious activity, the fake app is in reality a malicious shell script that Malwarebytes has aptly named OSX.DarthMiner -- a moniker that certainly fits its true, evil intentions. (Search your feelings. You know it to be true, as Anakin would say.)

The shell script executes an obfuscated Python script, which in turn sets the stage for EmPyre and XMRig, both of which are open-source programs.

After initially checking for the application firewall Little Snitch (with the intention of cancelling itself if it's found), the Python script "opens up a connection to an EmPyre backend, which is capable of pushing arbitrary commands to the infected Mac," Reed states in his report. Such commands ultimately result in the downloading of XMRig, plus a config file, into the /Users/Shared/ folder.

Reed warns that it's possible the EmPyre backdoor could also be used to install additional malware programs that could, for instance, exfiltrate files or steal passwords. Moreover, Malwarebytes discovered code in the script that's capable of downloading and installing "a root certificate associated with the mitmproxy software, which is software capable of intercepting all web traffic, including...encrypted https traffic. However, that code was commented out, indicating it was not active."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.