Pirated Final Cut Pro infects your Mac with cryptomining malware

Security researchers discovered a cryptomining operation targeting macOS with a malicious version of Final Cut Pro that remains largely undetected by antivirus engines.

They found that the malicious variant was distributed over torrent and executed the XMRig utility that mines for Monero cryptocurrency.

Evolution of a macOS threat

The Jamf Threat Labs team found this particular macOS threat and tracked it to malicious torrents shared over The Pirate Bay by a user named wtfisthat34698409672.

It appears that the user had been uploading other macOS apps like Adobe Photoshop and Logic Pro X since 2019, all of them containing a payload for cryptocurrency mining.

Deeper analysis led the researchers to the conclusion that the malware had undergone three major development stages, each time adding more complex evasion techniques.

The three generations of the macOS malware
The three generations of the macOS malware (Jamf)

Notably, security tools today consistently detect only the first generation of the threat, which stopped circulating in April 2021.

From the first generation, the malware used an i2p (Invisible Internet Project) network layer for command and control (C2) communications to anonymize traffic. This feature persists across all versions of the malware.

Infection chain diagram
Infection chain diagram (Jamf)

The second generation of the malware appeared relatively briefly between April 2021 and October 2021, featuring base 64 encoding for executables hidden in the app bundle.

Base64 encoded blobs and shell commands in executable
Base64 encoded blobs and shell commands in executable (Jamf)

The third and current generation appeared on October 2021. Starting from May 2022, it became the only variant distributed in the wild. A new feature of this variant is that it can disguise its malicious processes as system processes on Spotlight to evade detection.

Moreover, the latest version incorporates a script that constantly checks for the Activity Monitor, and if it’s launched, it immediately terminates all of its processes to remain hidden from the user’s inspections.

Anti-Activity Monitor script
Anti-Activity Monitor script (Jamf)

Ventura and the road ahead

The latest version of macOS, codenamed “Ventura,” introduces more stringent code-signing checks that threaten to make hiding and launching malware from inside user-launched apps, especially pirated ones, ineffective.

In this case, the pirates modified Final Cut Pro only partially, keeping the original code-signing certificate intact. However, Ventura still invalidated it because it detected a modification in the software content.

However, this only prevented the legitimate application from running, not the cryptocurrency miner, so Apple’s new security system still has some way to go to protect the user effectively.

In conclusion, the recommendation is to avoid downloading pirated software from peer-to-peer networks, as these are almost always ridden with malware or adware.