According to a Malwarebytes Labs blog post, the software was discovered when a user noticed that a process called “mshelper” consumed suspiciously-large amounts of CPU time. The user said that mshelper was constantly appearing in the CPU section of their Activity Monitor at high levels. They noticed this after installing BitDefender, which constantly relayed that mshelper was deleting it. This user tried using Malwarebytes, which proved unhelpful.
One reader suggested running Etrecheck, which immediately identified the malware and allowed the victim to remove it.
Malware Components Identified
Malwarebytes Labs said there were other suspicious processes installed, for which it was able to find file copies.
The “dropper” is the program that installs the malware. Mac malware oftentimes is installed by decoy documents users mistakenly open, downloads from pirate sites, and false Adobe Flash Player installers. The dropper remained elusive for cryptominer, but Malwarebytes Labs believes it to be a simple malware.
The researchers found the location of a launcher file called “pplauncher,” which is maintained by a launch daemon. This means the dropper likely had root privileges.
The pplauncher file was written in Golang for macOS, its purpose being to install and begin the miner process. Golang requires a certain amount of overhead that causes a binary file of more than 23,000 tasks. To use this for a simple purpose indicates the creator is not highly knowledgeable about Mac devices.
The mshelper process gives the appearance of an older version of XMRig miner, a legitimate miner that can be deployed using Homebrew on Macs. Information from the current XMRig indicates it was built on May 7, 2018 with clang 9.0.0.
When the same information was sought from the mshelper process, it indicated it was built on March 26, 2018, also with clang 9.0.0.
Malwarebytes Labs concluded that mshelper is an older XMRig copy used to create the cryptocurrency for the benefit of the hacker. The pplauncher gives command line statements, including a parameter that specifies the user.
The researchers said that the mining malware is not dangerous unless the user’s Mac has damaged fans or clogged vents that can result in overheating.
The mshelper is a legitimate tool that someone is abusing, but it still needs to be removed, as well as all of the malware.
The new malware — now known as OSX.ppminer — falls in line with cryptominers such as Creative Update, CpuMeaner and Pwnet for macOS.