Stealthy Mac Malware Delivered via Pirated Apps

Legitimate Mac software applications are being trojanized with malware and uploaded to Pirate Bay. From here, software pirates are downloading the apps and unknowingly infecting themselves. One example involves a stealthy implementation of XMRig cryptojacking malware; but the process could be used for other malware.

XMRig on Macs is not new. Trend Micro analyzed a sample in February 2022: “We suspected that the Mach-O sample arrived packaged in a DMG (an Apple image format used to compress installers) for Adobe Photoshop CC 2019 v20.0.6. However, the parent file was not successfully sourced.”

More recently, Apple security firm Jamf detected something similar: an XMRig implementation executing under the guise of the Apple-developed video editing software Final Cut Pro. In both cases, i2p (Invisible Internet Project) was used for outbound communication. This raised numerous questions: if the infections were connected a year apart, are they part of something larger, and why have other infections not been detected?A screenshot of a video game

Description automatically generated with medium confidence

In looking for the source of the malware, Jamf researchers turned to a Pirate Bay mirror to seek torrents of Final Cut Pro. They found one with a matching hash to the trojanized version they discovered in the wild. But they found more – a series of Apple Mac applications including Final Cut Pro, Logic Pro, and Photoshop, all uploaded to Pirate Bay by wtfisthat34698409672. This includes various versions of Final Cut Pro, allowing the researchers to analyze the malware development over time.

The researchers discovered three generations of the malware. The first generation, starting from August 2019, is a fairly standard implementation of malware. “The malware is still coming out of the pirated application, but it gets installed and it runs – it doesn’t worry about remaining stealthy,” Jamf’s macOS detections expert Jaron Bradley told SecurityWeek. It was new, it wasn’t being detected yet, and the author was more concerned about his or her own anonymity – hence the use of Pirate Bay for incoming and i2p for outgoing.

The second generation, starting from April 2021 and still undetected via VirusTotal as of February 13, 2023, was different. There were some…