Crypto Mining On Mac: How macOS Malware is on the Rise

Following on from our introduction to Cryptojacking, let’s take a closer look at the current situation on the macOS platform.

It’s been a busy 12 months, with macOS researchers from SentinelOne, MalwareBytes and Digital Security all contributing to the discovery of a variety of Cryptojacking software on the platform. Even Apple’s App Store got involved, hosting an app that was surreptitiously mining cryptocurrency, as did malware researchers from China, proving that both malware and malware hunters truly know no borders.

Here’s a brief timeline of the major events we’ve seen so far:

SentinelOne's macOS Cryptojacking brief timeline of major events we've seen so far. Starting with November 2017 (OSX.CPUMeaner), February 2018 (CreativeUpdate), March 2018 (Calendar 2.APP), May 2018 (OSX.PPMINER), and August 2018 (SSL.PLIST).

A Crypto Mining Trend is Born

OSX.CPUMeaner was first analyzed by a SentinelOne researcher in November 2017. That was the second Cryptominer to be unearthed in 2017 by the same SentinelOne researcher.

Next came “CreativeUpdate”, so named after it was found being distributed by popular 3rd party distribution network macupdate.com in early 2018. In one of its forms, this trojan presented itself as a fake version of Firefox. The malware actually wraps and executes a real version of the Firefox browser, which will even update itself inside the malware wrapper. Here, the executable (highlighted in red) is the malware, and the path to the real Firefox (highlighted in green) is seen to be contained inside the malware’s Resources folder:

Screenshot image of "CreativeUpdate" malware code executing a real version of the Firefox browser.


That means while the running version of Firefox will appear to the user as up-to-date in the About menu, the Finder only shows the older version named in the malware’s plist:

Screenshot image of FireFox Quantum infected by the "CreativeUpdate" malware giving the illusion of it appearing to be up-to-date.


While the real Firefox gets on with the user’s browsing tasks, the malware runs a script to download and install the Cryptominer and a persistence agent:

Screenshot image of malware running a script to download and install the cyrptominer and a persistent agent.


CreativeUpdate was far from an isolated incident, with at least 23 older variants discovered through retro-hunts on VirusTotal.

Of course, all the Cryptominers mentioned above are detected and blocked by the SentinelOne agent.

Screenshot image of SentinelOne's agent detecting and blocking the cryptominers mentioned above.

Go Miners, Go…

Appearing in May 2018, OSX.ppminer was first spotted on Apple Support Communities. The launcher is intriguingly written in Go, or “Golang” as it is widely called, while the miner itself is an older version of XMLRig written in C. The choice of Go for the launcher is odd. It may reflect the background of the author, who could perhaps have worked on blockchain technology such as Ethereum or HyperLedger, where Go is a popular choice due its performance benefits.

OSX.ppminer is detected by the SentinelOne agent pre-execution:

A screenshot image of SentinelOne's agent notification pop up and detecting the OSX.ppminer malware.

Chinese malware researchers brought to light a more recent threat in August 2018. Again the Cryptojackers targeted those looking for pirated software such as games like League of Legends and productivity tools like MS Office. In this case, the miner came in the form of an executable called SSL or SSL2.plist, and was launched by an AppleScript applet hidden inside the fake pirated software bundle.

The trojan installs two items in the user’s LaunchAgent’s folder. The first com.apple.Yahoo.plist is in fact a compiled, “run-only” AppleScript, rather than the property list it appears to be. It’s executed on load and every 360 days by a real plist LaunchAgent, disguised with the name com.apple.Google.plist.

Screenshot image of the user's LaunchAgent's folder

The program arguments reveal that the coder was unfamiliar with AppleScript and osascript, confusingly using osascript to call itself via an AppleScript do shell script command.

Like the bitcoin-mining “free” Calendar app found in the App Store some months prior, SSL.plist uses the XMR-Stak pool miner and can leverage CPUs, AMD and NVIDIA GPUs to mine Monero, Aeon and many other Cryptonight coins.

As with other miners for macOS, the SentinelOne agent can block, kill or quarantine this threat, depending on the Management policy in force:

Screenshot image of SentinelOne agent either blocking, kill or quarantining the threat successfully.

Prepare For More Crypto Mining Updates…

Cryptojacking is on the rise on macOS just as it is on other platforms. While it’s tempting to think of Cryptominers as not particularly dangerous as malware goes, they can cause performance problems on your endpoints and your network, and they could lead to rising costs through the amount of power they consume. In so far as it is used to make money by harnessing your resources, Cryptojacking is a form of exploitation and theft. In that respect, unwanted Cryptominers are no different from any other kind of malware and should be treated as such.