A new Mac cryptominer was discovered this week, after affected users saw their fans whirring out of control and a process named "mshelper" gobbling up CPU time like Cookie Monster. Fortunately, this malware is not very sophisticated and is easy to remove.
The malware became public knowledge in a post on Apple's discussion forums, where the "mshelper" process was found to be the culprit. Digging deeper, it was discovered that there were a couple other suspicious processes installed as well. We went searching and found copies of these files.
The malware is mining for Monero cryptocurrency. Here's a breakdown of its components.
The dropperA "dropper" is what security researchers call the program that installs malware. Often, Mac malware is installed by things like fake Adobe Flash Player installers, downloads from piracy sites, decoy documents users are tricked into opening, and other such things.
In this case, the dropper is still unknown, but we do not believe it's anything sophisticated. Everything else about this malware suggests simplicity.
The launcherA file named pplauncher is installed in the following location:
~/Library/Application Support/pplauncher/pplauncherThis file is kept running by a launch daemon (com.pplauncher.plist), indicating that the dropper must have had root privileges.
pplauncher is a rather large executable file (3.5 MB) that was written in Golang and then compiled for macOS. The sole responsibility of this process appears to be the fairly simple process of installing and launching the miner process.
Using Golang introduces significant overhead, resulting in a binary file containing more than 23,000 functions. Using this for what appears to be simple functionality is probably a sign that the person who created it is not particularly familiar with Macs.
pplauncher SHA256: 8f1938d082393713539abb9dfa8bfde8e1a09721f622e6e597d4560219ffca0d
The minerThe miner is the mshelper process, which is installed here:
/tmp/mshelper/mshelperThis process appears to be an older version of the legitimate XMRig miner, which can be installed on Macs via Homebrew. Getting the version information from the current XMRig gives the following results:
$ xmrig -V XMRig 2.6.2 built on May 7 2018 with clang 9.0.0 (clang-900.0.39.2) features: 64-bit AESRequesting the same information from the mshelper process gives the following results:
$ /tmp/mshelper/mshelper -V XMRig 2.5.1 built on Mar 26 2018 with clang 9.0.0 (clang-900.0.39.2) features: x86_64 AES-NIClearly, mshelper is simply an older copy of XMRig that is being used for the purpose of generating the cryptocurrency for the hacker behind the malware. The pplauncher process provides the necessary command-line arguments, such as the following parameter specifying the user, found using the strings command on the pplauncher executable file:
mshelper SHA256: a00f6fbb2e00d35f938534e1c20ba2e02311536bcf60be2165037d68cba141b2
Mac cryptomining on the riseThis malware is not particularly dangerous, unless your Mac has a problem like damaged fans or dust-clogged vents that could cause overheating. Although the mshelper process is actually a legitimate piece of software being abused, it should still be removed along with the rest of the malware.
Mac cryptomining malware has been on the rise recently, just as in the Windows world. This malware follows other cryptominers for macOS, such as Pwnet, CpuMeaner, and CreativeUpdate. I'd rather be infected with a cryptominer than some other kind of malware, but that doesn't make it a good thing.
If you think you're infected with this malware, Malwarebytes for Mac will remove it. We detect this malware as OSX.ppminer.