A new Mac cryptocurrency miner, dubbed as Bird Miner, has been detected in the wild by cybersecurity researchers. During a malware analysis, it was found that this crypto mining malware is kind of unique because it runs under Linux emulation.
The miner is delivered via various cracked apps that can be found all over the internet. For example, if you download and install an app like this, Bird Miner will run a post-install script that will start copying some installed files to new locations with randomized names, create directories or move programs.
Then it will allow the user to pass initial character to the generator and use jot to generate a random number for a line of the file to extract.
If we look at the files that get installed on the infected mac with random names, we can see that they have a variety of functions. Three of them are launch daemons, another one is named Crax and its task is to make sure that the malware isn’t terminated or detected. First, it checks to see if Activity Monitor is running and, if it is, Crax terminate the processes that can lead to detection. If Activity Monitor isn’t opened, Crax then runs multiple CPU usage checks. If the results of the checks show that CPU runs at more than 85 percent, it terminates everything related to the miner. But if all checks results are passed, it then loads the other two daemons: com.Flagellariaceae.plist, which runs a script named Pecora, and com.Dail.plist, which runs a script named Krugerite.
Under close inspection, Pecora and Krugerite resulted to be nearly identical, and each of them is tasked to load a separate executable.
Both scripts once again check for Activity Monitor and terminate everything if it does. When Activity Monitor is not open, Krugerite launches an executable named Nigel and passes a path to another file, Poaceae, as a parameter.
Cybersecurity experts found that the Nigel file is, in fact, an old version of the open-source software known as Qemu.
Remember everything can be hacked. In order to stay away from any threats related to the cyber world, we recommend the install of antivirus for Windows or antivirus for Mac on every device that you own, depending on which OS your device is running. If you are a company, it is also recommended to hire every year a specialized cybersecurity company that will run annual tests on your company’s network. These tests include penetration testing and ethical hacking tests;
For those who don’t know Qemu is an open-source emulator, that can run Linux executables on non-Linux systems. In this case, Qemu is being used to run the contents of image files, named Poaceae, using Apple’s Hypervisor framework for better performance.
Inside the Poaceae, file lays an image containing a bootable Linux system known as Tiny Core.
Analysts say that as soon as the Tiny Core system boots up, xmrig launches without ever needing a user to login, means that the miner is already running even if the login is never made.
Bird Miner malware is the stealthiest malware out there, it will terminate everything related to it at multiple points if Activity Monitor is running, and it will obfuscate the miner code by hiding it inside Qemu images.
Today’s case is nothing more than a solid example of why piracy is not a good idea. Remember this before choosing to be a pirate, you will get infected most of the times.
We would continue to monitor this cybersecurity problem. Meanwhile, users should keep a keen eye out for any cyber attacks. Remember to use an antivirus for Windows or antivirus for Mac in every device that you own, depending on which OS your machine is running, If you are a company we recommend to hire every year a specialized cybersecurity company that will run annual tests on your company’s network, tests like this include: penetration testing and ethical hacking.