Jamf Threat Labs on Thursday issued a report about a new malware threat on macOS that installs and runs crypto-mining software. The malware is attached to pirated copies of Final Cut Pro that are downloaded from unauthorized distribution points on the internet.
The pirated versions of Final Cut Pro have a crypto-mining tool called XMRig attached. When the software is downloaded and installed, XMRig launches in the background. Jamf reports that only “a handful” of malware protection apps are able to detect the hidden XMRig installation as of January.
XMRig itself is often used legitimately by crypto miners, but since it’s an open-source utility, it’s often subject to illegitimate uses like this one. With XMRig running in the background, the Mac devotes processing resources to the mining tasks, which affects performance.
Jamf said that this malware installation uses i2p to send mined cryptocurrency to the attacker’s wallet and to download malicious software components to the Mac. The i2p networking protocol is designed for privacy; it’s encrypted and uses a tunnel only used by the user, the server, and any others granted access. Like XMRig, i2p has legitimate uses, but when used by malware, it increases the difficulty of tracking network activity.
Jamf’s research found that the source of the malware started uploading pirated versions of Final Cut Pro in 2019 and that the malware is clever enough to avoid detection by macOS’s Activity Monitor app. If Activity Monitor is launched, XMRig stops running and relaunches when the user quits Activity Monitor.
In a statement, Apple acknowledged the malware and says it has updated macOS’s Xprotect to block “the specific variants cited in JAMF’s research,” and ensures that the malware “does not bypass Gatekeeper protections.” Apple strengthened GateKeeper in macOS Ventura to continuously scan apps to ensure they are correctly signed and have not been modified, but previous versions of macOS only perform an initial check.
Downloading the pirated app usually involves using a torrent client, and since these clients don’t apply any quarantine attributes, the downloads bypass macOS Monterey’s validation checks. With macOS Ventura, however, the pirated copy of Final Cut Pro won’t pass validation and won’t launch, but the illegitimate installation of XMRig still occurs, and the background mining proceeds.
This malware attack is precisely why Apple wants you to shop at the App Store, where Apple vets each app to make sure they don’t contain malware. Eventually, more third-party security apps will catch on to this attack and provide protection (Jamf notes that this attack is blocked by its Protect Threat Prevention service). The easiest way to avoid this attack is to simply not use pirated software. The official version of Final Cut Pro costs $300, though there is a 90-day free trial. See: Do Macs need antivirus software? and How to protect your Mac from viruses. We also have a round up of the best antivirus software for Macs.
Update 4:55pm ET: Added a statement from Apple.