New Bird Miner malware targets Mac pirates
A new variant of cryptocurrency mining malware called Bird Miner designed for Apple Mac is targeting users of pirated software.
While cryptocurrency mining malware, also known as cryptojacking software, is nothing new, this particular strain of malicious code comes with an interesting feature: the malware runs by emulating Linux on Mac.
The malware, detected as OSX.BirdMiner, was discovered in a cracked installer for Ableton Live 10, software used in music production, Malwarebytes said in a blog post on Thursday.
According to the researchers, the illegitimate installer and cracked version of the software are downloadable from a pirate website called VST
Crack. Considering the software is used for high-end musical production, the file size of 2.6GB may not put off potential victims — but it secretly contains the Bird Miner which begins work immediately on install.
The installer buries files in the application and shared directories, among others, with randomized names.
While the installer generates random names from a dedicated wordlist script, certain phrases are avoided, notably terms that many of us would not want to be associated with such as “Nazi” and “Hitler,” despite their appearance on the list.
The files dropped include daemons tasked with launching shell scripts including Crax, a system which scans for Activity Monitor, Mac’s process checker.
If the software is in use, then the malware attempts to “unload the other processes,” Malwarebytes says, likely in a bid to avoid detection.
If Activity Monitor is not active, Bird Miner then launches a series of CPU checks. CPU power is necessary to successfully mine cryptocurrency, and if the CPU usage is above 85 percent, the malware will bail out.
Anything less than 85 percent, however, will result in the launch daemons running Pecora and Krugerite, which separately load executable files.
One of the executables is called Nigel and is an old version of open-source emulator software called Qemu. This command-line form of virtualization software makes use of Apple’s hypervisor to run an image-based Linux executable — Tiny Core — hosted by another downloaded file called Poaceae.
The image also contains mydata.tgz, a file which ensures certain processes are loaded on startup including XMRig, a Monero (XMR) cryptocurrency miner.
As the scripts separately load these files, victims may end up with two miners working at the same time.
“As soon as the Tiny Core system boots up, XMRig launches without ever needing a user to log in,” the researchers say.
Since the original discovery, other examples of the malware being buried in cracked installers on VST Crack have been uncovered. It is likely that Bird Miner has been in circulation for at least four months.
Hiding a miner in a bootable image is somewhat stealthy, but the researchers say that given the hefty footprint of the malware and the choice to emulate rather than run as native code, Bird Miner “shoots itself in the foot, stealth-wise.”
“The fact that Bird Miner was created this way likely indicates that the author is probably familiar with Linux, but is not particularly well-versed in macOS,” Malwarebytes says. “Although this method does obfuscate the miner itself, which could help the malware evade detection, that benefit is countered by reliance on shell scripts and the heavy footprint of running not one but two miners simultaneously in emulation.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0