Cryptojacking Malware Targeting macOS Found in Pirated Apps

Researchers at Jamf Threat Labs are highlighting the need for enhanced security on Apple devices as new ‘cryptojacking’ malware has been discovered in pirated macOS apps.


Cryptojacking, a stealthy and large-scale crypto-mining scheme, is becoming increasingly prevalent.

Since crypto-mining requires a significant amount of processing power, ongoing advancements in Apple ARM processors make macOS devices even more attractive targets for cryptojacking.

XMRig, a command-line crypto-mining tool first spotted in a pirated version of Final Cut Pro, is now being found in a handful of malicious applications.

This malware makes use of the Invisible Internet Project (i2p) to download malicious components and send mined currency to the attacker’s wallet.

Moreover, advanced variants of the malware mask its malicious i2p components within the application executable using base64 encoding.

Cryptojacking macos malware discovered by jamf threat labs 06

When the user double-clicks the Final Cut Pro icon, the trojanized executable runs, kicking off the shell calls to orchestrate the malware setup. Here’s how it works:

  1. User downloads and double-clicks application bundle
  2. Trojanized executable runs
  3. Working base64 encoded Final Cut Pro executable extracted
  4. Base64 encoded i2p executable extracted and disguised as mdworker_shared on execution
  5. The Miner executable is pulled from the command and control server
  6. Mining begins disguised as mdworker_local process

In macOS Ventura, Apple has introduced security improvements that pose a new challenge to this approach.

The more stringent codesigning checks in Ventura verify that all notarized apps are correctly signed and have not been modified by unauthorized processes, even after the first launch.

All known versions of this malware family are detected and blocked by Jamf Protect Threat Prevention. Visit the source page to learn more.

P.S. - Like our news? Support the site: become a Patreon subscriber. Or shop with our Amazon link, or buy us a coffee! We use affiliate links when possible--thanks for supporting independent media.