{"id":79138,"date":"2018-05-29T10:50:14","date_gmt":"2018-05-29T17:50:14","guid":{"rendered":"https:\/\/www.intego.com\/mac-security-blog\/?p=79138"},"modified":"2021-05-03T09:19:28","modified_gmt":"2021-05-03T16:19:28","slug":"cryptominer-mshelper-targets-macos-what-you-need-to-know","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/cryptominer-mshelper-targets-macos-what-you-need-to-know\/","title":{"rendered":"Cryptominer &#8216;mshelper&#8217; Targets macOS: What You Need to Know"},"content":{"rendered":"<p><a href=\"https:\/\/www.intego.com\/mac-security-blog\/cryptominer-mshelper-targets-macos-what-you-need-to-know\/mshelper-cryptomining-malware\/\" rel=\"attachment wp-att-79243\"><img loading=\"lazy\" class=\"aligncenter size-full wp-image-79243\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/05\/mshelper-cryptomining-malware.png\" alt=\"Cryptominer mshelper Targets macOS\" width=\"600\" height=\"300\" srcset=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/05\/mshelper-cryptomining-malware.png 600w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/05\/mshelper-cryptomining-malware-150x75.png 150w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/05\/mshelper-cryptomining-malware-300x150.png 300w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/><\/a><\/p>\n<p>Discussions\u00a0of a CPU consuming process, called &#8220;mshelper,&#8221; have\u00a0surfaced on the <a href=\"https:\/\/discussions.apple.com\/thread\/8392063\" target=\"_blank\" rel=\"noopener\">Apple support forums<\/a> and <a href=\"https:\/\/www.reddit.com\/r\/apple\/comments\/8kboh1\/has_your_macbook_battery_life_become_much_worse\/\" target=\"_blank\" rel=\"noopener\">Reddit<\/a>. Users mentioned their\u00a0fans spinning unusually fast, computers running hotter than usual and performance taking a hit as a\u00a0result of the mshelper process. Upon further investigation, this process\u00a0turns out to be a cryptominer for macOS.\u00a0<a href=\"https:\/\/www.intego.com\/antivirus-mac-internet-security\">Intego VirusBarrier<\/a> detects and eradicates this malware as <strong>OSX\/mshelper<\/strong>.<\/p>\n<p>This isn&#8217;t the first time <a href=\"https:\/\/www.intego.com\/mac-security-blog\/unwanted-cryptomining-debuts-briefly-in-mac-app-store\/\" target=\"_blank\" rel=\"noopener\">unwanted cryptomining malware<\/a> have been found running on Macs\u2014and likely won&#8217;t be the last time either. You may recall a recent Intego YouTube video in which we\u00a0discuss how to avoid cryptomining malware and protect your Mac:<\/p>\n<p><span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe loading=\"lazy\" class=\"youtube-player\" width=\"640\" height=\"360\" src=\"https:\/\/www.youtube.com\/embed\/3DW_MaoCmGU?version=3&#038;rel=1&#038;showsearch=0&#038;showinfo=1&#038;iv_load_policy=1&#038;fs=1&#038;hl=en-US&#038;autohide=2&#038;start=3&#038;wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation\"><\/iframe><\/span><\/p>\n<p>The video explains\u00a0how you can tell if your Mac is infected, such as high CPU usage, and outlines steps you can take to remove persistent cryptomining malware.<\/p>\n<p>If you find mshelper running on your Mac, you&#8217;ll want to remove it immediately to avoid further system degradation.\u00a0Here&#8217;s how the mshelper cryptominer\u00a0works and how to remove it from your system.<\/p>\n<h3>What is the infection vector?<\/h3>\n<p>That is still unknown, but all of the usual suspects can be the culprit here. Twice this new mshelper process has popped up where logs indicate Adobe Flash Player was recently installed. This does not mean mshelper comes from a fake Adobe Flash Player installer, but it is the number one suspect at the moment. <strong>(<a href=\"https:\/\/www.intego.com\/mac-security-blog\/why-bittorrent-sites-are-a-malware-cesspool\/\" target=\"_blank\" rel=\"noopener\">RELATED: Why BitTorrent Sites Are a Malware Cesspool.<\/a>)<\/strong><\/p>\n<h3>What does mshelper do?<\/h3>\n<p>The reason so much processing power is used by mshelper is because the process is a cryptocurrency miner. It uses your Mac&#8217;s horsepower to crunch numbers and mine Monero cryptocurrency for whomever created the malware. Spreading the mining process over hundreds or even thousands of computers increases the odds of the malware author to make money, but going about it the way mshelper does meant the exercise was doomed from the start.<\/p>\n<p>By consuming the maximum amount of processing power, mshelper was, of course, destined to be detected very soon. It doesn&#8217;t care if you are using your Mac and need the processing power for other tasks, and it doesn&#8217;t lurk in hiding and\u00a0wait for your Mac to be idle before mining. Instead, it starts mining full blast and doesn&#8217;t stop until the\u00a0victim\u00a0removes it from their Mac. In testing, at minimum mshelper used 50% of the available processor cores at all times.<\/p>\n<p>A LaunchDaemon is installed that ensures the miner starts after a logout or reboot, and mshelper maintains a connection with xmr-us-east1.nanopool[.]org on TCP port 14444. Connections to other IP addresses and hosts were also observed, one of them being 100.ip-142-44-242[.]net on the same TCP port number.<\/p>\n<p><img loading=\"lazy\" class=\"size-full wp-image-79144 aligncenter\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/05\/mshelper-files-and-ports.png\" alt=\"\" width=\"676\" height=\"822\" srcset=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/05\/mshelper-files-and-ports.png 676w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/05\/mshelper-files-and-ports-123x150.png 123w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/05\/mshelper-files-and-ports-247x300.png 247w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/05\/mshelper-files-and-ports-657x799.png 657w\" sizes=\"(max-width: 676px) 100vw, 676px\" \/><\/p>\n<h3>Should Mac users be concerned about mshelper?<\/h3>\n<p>While mshelper is mostly harmless, the biggest concern is\u00a0how it lands\u00a0on a system. A fake Adobe Flash Player, infected installer that came from a BitTorrent website, or even a hijacked legitimate installer that came from the original source are all potential infection vectors. As the infection vector is unknown, one should follow best security practices and have anti-virus and firewall protection installed on their system to stop malware in its tracks.<\/p>\n<h3>How to tell if your Mac is infected (and removal instructions)<\/h3>\n<p>The biggest giveaway indicating your Mac is infected with mshelper is the sudden increase in fan noise or heat, as the processor is tasked with mining Monero. An impact in CPU performance will also likely be noticeable. Luckily, mshelper is nothing sophisticated and is fairly easy to get rid of.<\/p>\n<p>First, open <strong>Applications<\/strong> &gt; <strong>Utilities<\/strong> &gt; <strong>Activity Monitor<\/strong>. Click in the search field at the top right side of the window and type in <em>mshelper<\/em>. If mshleper is running on your system, it will show in the list and can be seen using a decent chunk of processing power.<\/p>\n<p><img loading=\"lazy\" class=\"size-full wp-image-79150 aligncenter\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/05\/mshelper-activitymonitor.png\" alt=\"\" width=\"800\" height=\"123\" srcset=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/05\/mshelper-activitymonitor.png 800w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/05\/mshelper-activitymonitor-150x23.png 150w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/05\/mshelper-activitymonitor-300x46.png 300w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/05\/mshelper-activitymonitor-768x118.png 768w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/05\/mshelper-activitymonitor-657x101.png 657w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><\/p>\n<p>Highlight the mshelper process by clicking on it once, and then click the X button above it to stop the process.<\/p>\n<p>With the processor back under your control, it&#8217;s time to track down the components and remove them. For <a href=\"https:\/\/www.intego.com\/antivirus-mac-internet-security\">Intego VirusBarrier<\/a> users, this is as simple as running a scan of the system and removing all the mshelper components that the anti-virus detects, identified\u00a0as <strong>OSX\/mshelper<\/strong>.<\/p>\n<p>For those that do not use VirusBarrier and want to manually check for infection, here is the list of components to look for:<\/p>\n<p><strong>Library<\/strong> &gt; <strong>LaunchDaemons<\/strong> &gt; <span style=\"color: #993300;\"><strong>com.pplauncher.plist <\/strong><span style=\"color: #000000;\">(file)<\/span><strong><br \/>\n<\/strong><span style=\"color: #000000;\"><strong>Library<\/strong> &gt; <strong>Application Support<\/strong> &gt;<\/span> <strong>pplauncher <\/strong><span style=\"color: #000000;\">(folder)<\/span><span style=\"color: #000000;\"><br \/>\n<\/span><\/span><strong>private<\/strong> &gt; <strong>tmp<\/strong> &gt; <span style=\"color: #993300;\"><strong>mshelper<\/strong><\/span> (folder) this is a temporary directory mshelper is installed in but should still be checked.<\/p>\n<p>The private and tmp directories are hidden by macOS, so to search there you will have to use &#8220;Go to Folder&#8221; from the Finder&#8217;s Go menu. Then simply type\u00a0the following:<\/p>\n<blockquote><p>\/private\/tmp\/<\/p><\/blockquote>\n<p>or<\/p>\n<blockquote><p>\/tmp\/<\/p><\/blockquote>\n<p><img loading=\"lazy\" class=\"size-full wp-image-79156 aligncenter\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/05\/gotofolder.png\" alt=\"\" width=\"431\" height=\"128\" srcset=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/05\/gotofolder.png 431w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/05\/gotofolder-150x45.png 150w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/05\/gotofolder-300x89.png 300w\" sizes=\"(max-width: 431px) 100vw, 431px\" \/><\/p>\n<p>Both commands will land you in the same folder. Now you can search for the mshelper folder and delete it.<\/p>\n<p>If any of the above components were found, delete them and empty your Mac&#8217;s\u00a0Trash. Now simply restart your Mac, and the irregular processor \/ fan behavior should be back to normal.<\/p>\n<h3>How to protect yourself from mshelper<\/h3>\n<p>When the infection vector is known for a particular strain of malware, it&#8217;s easy to say, &#8220;Avoid this document&#8221; or &#8220;never open this installer.&#8221; In this case, the source of mshelper is unknown, but\u00a0we still feel it&#8217;s important to issue a\u00a0general warning for Mac users, even if the infection vector is currently unknown. This circles back to the often mentioned <a href=\"https:\/\/www.intego.com\/mac-security-blog\/targeted-malware-attacks-and-the-importance-of-layered-protection\/\" target=\"_blank\" rel=\"noopener\">layered security<\/a> and <a href=\"https:\/\/www.intego.com\/mac-security-blog\/15-mac-hardening-security-tips-to-protect-your-privacy\/\" target=\"_blank\" rel=\"noopener\">best practices to harden your Mac<\/a>. In a nutshell, these are:<\/p>\n<p><strong>Use an antivirus solution<\/strong><\/p>\n<p>Malware comes in all shapes and sizes and a good antivirus solution will catch them as soon as their signatures are known.<\/p>\n<p><img loading=\"lazy\" class=\"size-full wp-image-79162 aligncenter\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/05\/VirusBarrier-alert-mshelper.png\" alt=\"\" width=\"634\" height=\"299\" srcset=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/05\/VirusBarrier-alert-mshelper.png 634w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/05\/VirusBarrier-alert-mshelper-150x71.png 150w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/05\/VirusBarrier-alert-mshelper-300x141.png 300w\" sizes=\"(max-width: 634px) 100vw, 634px\" \/><\/p>\n<p><strong>Use a firewall<\/strong><\/p>\n<p>A good firewall monitors not just the incoming traffic, but the <a href=\"https:\/\/www.intego.com\/mac-security-blog\/why-you-need-an-outbound-firewall\/\" target=\"_blank\" rel=\"noopener\">outgoing traffic<\/a> as well. Malware will always call home sooner or later, and a firewall can catch this connection request and alert you about it. In the case of mshelper, Intego NetBarrier alerted me to its presence before I even had a chance to scan the test system.<\/p>\n<p><img loading=\"lazy\" class=\"size-full wp-image-79168 aligncenter\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/05\/NetBarrier-alert-mshleper.png\" alt=\"\" width=\"668\" height=\"320\" srcset=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/05\/NetBarrier-alert-mshleper.png 668w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/05\/NetBarrier-alert-mshleper-150x72.png 150w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/05\/NetBarrier-alert-mshleper-300x144.png 300w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/05\/NetBarrier-alert-mshleper-657x315.png 657w\" sizes=\"(max-width: 668px) 100vw, 668px\" \/><\/p>\n<p><strong>Only install\u00a0software from its\u00a0original source<\/strong><\/p>\n<p>Whether installing\u00a0Adobe Flash Player, Adobe Photoshop, Microsoft Office or a browser extension, always be sure to get it from the original source. If a website prompts you to install a\u00a0software\u00a0update, make note of it and close the window. Then go to the source and download the latest update to your software, if one is indeed available. Using the built-in updater most applications now have is also a good option.<\/p>\n<p>Discontinuing the use of Adobe Flash Player is not only a good idea in terms of security, but it also makes the fake browser popups stating you need to update Flash Player obviously fake. As you don&#8217;t have Adobe Flash Player installed, any prompt for a Flash Player update will be fake!<\/p>\n<p><em><strong>Have something to say about this story? Share your comments below!<\/strong><\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Discussions\u00a0of a CPU consuming process, called &#8220;mshelper,&#8221; have\u00a0surfaced on the Apple support forums and Reddit. Users mentioned their\u00a0fans spinning unusually fast, computers running hotter than usual and performance taking a hit as a\u00a0result of the mshelper process. Upon further investigation, this process\u00a0turns out to be a cryptominer for macOS.\u00a0Intego VirusBarrier detects and eradicates this malware [&hellip;]<\/p>\n","protected":false},"author":79,"featured_media":79249,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false},"categories":[190,151],"tags":[3985,4162,4156,4159,3988,4153,4150],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v17.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<meta name=\"description\" content=\"Discussions\u00a0of a CPU consuming process, called &quot;mshelper,&quot; have\u00a0surfaced on the Apple support forums and Reddit. Users mentioned their\u00a0fans spinning\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.intego.com\/mac-security-blog\/cryptominer-mshelper-targets-macos-what-you-need-to-know\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Cryptominer &#039;mshelper&#039; Targets macOS: What You Need to Know - The Mac Security Blog\" \/>\n<meta property=\"og:description\" content=\"Discussions\u00a0of a CPU consuming process, called &quot;mshelper,&quot; have\u00a0surfaced on the Apple support forums and Reddit. Users mentioned their\u00a0fans spinning\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.intego.com\/mac-security-blog\/cryptominer-mshelper-targets-macos-what-you-need-to-know\/\" \/>\n<meta property=\"og:site_name\" content=\"The Mac Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2018-05-29T17:50:14+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-05-03T16:19:28+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/05\/mshelper-macOS-Malware.png\" \/>\n\t<meta property=\"og:image:width\" content=\"400\" \/>\n\t<meta property=\"og:image:height\" content=\"260\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jay Vrijenhoek\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#organization\",\"name\":\"Intego\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/\",\"sameAs\":[],\"logo\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#logo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png\",\"contentUrl\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png\",\"width\":875,\"height\":875,\"caption\":\"Intego\"},\"image\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#logo\"}},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#website\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/\",\"name\":\"The Mac Security Blog\",\"description\":\"Keep Macs safe from the dangers of the Internet\",\"publisher\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.intego.com\/mac-security-blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/cryptominer-mshelper-targets-macos-what-you-need-to-know\/#primaryimage\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/05\/mshelper-macOS-Malware.png\",\"contentUrl\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/05\/mshelper-macOS-Malware.png\",\"width\":400,\"height\":260,\"caption\":\"mshelper macOS Malware\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/cryptominer-mshelper-targets-macos-what-you-need-to-know\/#webpage\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/cryptominer-mshelper-targets-macos-what-you-need-to-know\/\",\"name\":\"Cryptominer 'mshelper' Targets macOS: What You Need to Know - The Mac Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/cryptominer-mshelper-targets-macos-what-you-need-to-know\/#primaryimage\"},\"datePublished\":\"2018-05-29T17:50:14+00:00\",\"dateModified\":\"2021-05-03T16:19:28+00:00\",\"description\":\"Discussions\\u00a0of a CPU consuming process, called \\\"mshelper,\\\" have\\u00a0surfaced on the Apple support forums and Reddit. Users mentioned their\\u00a0fans spinning\",\"breadcrumb\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/cryptominer-mshelper-targets-macos-what-you-need-to-know\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.intego.com\/mac-security-blog\/cryptominer-mshelper-targets-macos-what-you-need-to-know\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/cryptominer-mshelper-targets-macos-what-you-need-to-know\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.intego.com\/mac-security-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cryptominer &#8216;mshelper&#8217; Targets macOS: What You Need to Know\"}]},{\"@type\":\"Article\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/cryptominer-mshelper-targets-macos-what-you-need-to-know\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/cryptominer-mshelper-targets-macos-what-you-need-to-know\/#webpage\"},\"author\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/0106660ab83668e429deecc051dfa8c0\"},\"headline\":\"Cryptominer &#8216;mshelper&#8217; Targets macOS: What You Need to Know\",\"datePublished\":\"2018-05-29T17:50:14+00:00\",\"dateModified\":\"2021-05-03T16:19:28+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/cryptominer-mshelper-targets-macos-what-you-need-to-know\/#webpage\"},\"wordCount\":1176,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/cryptominer-mshelper-targets-macos-what-you-need-to-know\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/05\/mshelper-macOS-Malware.png\",\"keywords\":[\"Cryptocurrency\",\"Cryptojacking\",\"Cryptominer\",\"Cryptomining\",\"Monero\",\"mshelper\",\"OSX\/mshelper\"],\"articleSection\":[\"Malware\",\"Recommended\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.intego.com\/mac-security-blog\/cryptominer-mshelper-targets-macos-what-you-need-to-know\/#respond\"]}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/0106660ab83668e429deecc051dfa8c0\",\"name\":\"Jay Vrijenhoek\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/8f43effd03d0bb31acff4b88613f0d4a?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/8f43effd03d0bb31acff4b88613f0d4a?s=96&d=mm&r=g\",\"caption\":\"Jay Vrijenhoek\"},\"description\":\"Jay Vrijenhoek is an IT consultant with a passion for Mac security research.\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/author\/jay-vrijenhoek\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"description":"Discussions\u00a0of a CPU consuming process, called \"mshelper,\" have\u00a0surfaced on the Apple support forums and Reddit. Users mentioned their\u00a0fans spinning","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.intego.com\/mac-security-blog\/cryptominer-mshelper-targets-macos-what-you-need-to-know\/","og_locale":"en_US","og_type":"article","og_title":"Cryptominer 'mshelper' Targets macOS: What You Need to Know - The Mac Security Blog","og_description":"Discussions\u00a0of a CPU consuming process, called \"mshelper,\" have\u00a0surfaced on the Apple support forums and Reddit. Users mentioned their\u00a0fans spinning","og_url":"https:\/\/www.intego.com\/mac-security-blog\/cryptominer-mshelper-targets-macos-what-you-need-to-know\/","og_site_name":"The Mac Security Blog","article_published_time":"2018-05-29T17:50:14+00:00","article_modified_time":"2021-05-03T16:19:28+00:00","og_image":[{"width":400,"height":260,"url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/05\/mshelper-macOS-Malware.png","type":"image\/png"}],"twitter_card":"summary_large_image","twitter_misc":{"Written by":"Jay Vrijenhoek","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Organization","@id":"https:\/\/www.intego.com\/mac-security-blog\/#organization","name":"Intego","url":"https:\/\/www.intego.com\/mac-security-blog\/","sameAs":[],"logo":{"@type":"ImageObject","@id":"https:\/\/www.intego.com\/mac-security-blog\/#logo","inLanguage":"en-US","url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png","contentUrl":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png","width":875,"height":875,"caption":"Intego"},"image":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#logo"}},{"@type":"WebSite","@id":"https:\/\/www.intego.com\/mac-security-blog\/#website","url":"https:\/\/www.intego.com\/mac-security-blog\/","name":"The Mac Security Blog","description":"Keep Macs safe from the dangers of the Internet","publisher":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.intego.com\/mac-security-blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","@id":"https:\/\/www.intego.com\/mac-security-blog\/cryptominer-mshelper-targets-macos-what-you-need-to-know\/#primaryimage","inLanguage":"en-US","url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/05\/mshelper-macOS-Malware.png","contentUrl":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/05\/mshelper-macOS-Malware.png","width":400,"height":260,"caption":"mshelper macOS Malware"},{"@type":"WebPage","@id":"https:\/\/www.intego.com\/mac-security-blog\/cryptominer-mshelper-targets-macos-what-you-need-to-know\/#webpage","url":"https:\/\/www.intego.com\/mac-security-blog\/cryptominer-mshelper-targets-macos-what-you-need-to-know\/","name":"Cryptominer 'mshelper' Targets macOS: What You Need to Know - The Mac Security Blog","isPartOf":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/cryptominer-mshelper-targets-macos-what-you-need-to-know\/#primaryimage"},"datePublished":"2018-05-29T17:50:14+00:00","dateModified":"2021-05-03T16:19:28+00:00","description":"Discussions\u00a0of a CPU consuming process, called \"mshelper,\" have\u00a0surfaced on the Apple support forums and Reddit. Users mentioned their\u00a0fans spinning","breadcrumb":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/cryptominer-mshelper-targets-macos-what-you-need-to-know\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.intego.com\/mac-security-blog\/cryptominer-mshelper-targets-macos-what-you-need-to-know\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.intego.com\/mac-security-blog\/cryptominer-mshelper-targets-macos-what-you-need-to-know\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.intego.com\/mac-security-blog\/"},{"@type":"ListItem","position":2,"name":"Cryptominer &#8216;mshelper&#8217; Targets macOS: What You Need to Know"}]},{"@type":"Article","@id":"https:\/\/www.intego.com\/mac-security-blog\/cryptominer-mshelper-targets-macos-what-you-need-to-know\/#article","isPartOf":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/cryptominer-mshelper-targets-macos-what-you-need-to-know\/#webpage"},"author":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/0106660ab83668e429deecc051dfa8c0"},"headline":"Cryptominer &#8216;mshelper&#8217; Targets macOS: What You Need to Know","datePublished":"2018-05-29T17:50:14+00:00","dateModified":"2021-05-03T16:19:28+00:00","mainEntityOfPage":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/cryptominer-mshelper-targets-macos-what-you-need-to-know\/#webpage"},"wordCount":1176,"commentCount":0,"publisher":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#organization"},"image":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/cryptominer-mshelper-targets-macos-what-you-need-to-know\/#primaryimage"},"thumbnailUrl":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/05\/mshelper-macOS-Malware.png","keywords":["Cryptocurrency","Cryptojacking","Cryptominer","Cryptomining","Monero","mshelper","OSX\/mshelper"],"articleSection":["Malware","Recommended"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.intego.com\/mac-security-blog\/cryptominer-mshelper-targets-macos-what-you-need-to-know\/#respond"]}]},{"@type":"Person","@id":"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/0106660ab83668e429deecc051dfa8c0","name":"Jay Vrijenhoek","image":{"@type":"ImageObject","@id":"https:\/\/www.intego.com\/mac-security-blog\/#personlogo","inLanguage":"en-US","url":"https:\/\/secure.gravatar.com\/avatar\/8f43effd03d0bb31acff4b88613f0d4a?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/8f43effd03d0bb31acff4b88613f0d4a?s=96&d=mm&r=g","caption":"Jay Vrijenhoek"},"description":"Jay Vrijenhoek is an IT consultant with a passion for Mac security research.","url":"https:\/\/www.intego.com\/mac-security-blog\/author\/jay-vrijenhoek\/"}]}},"jetpack_featured_media_url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2018\/05\/mshelper-macOS-Malware.png","jetpack_publicize_connections":[],"jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p4VAYd-kAq","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts\/79138"}],"collection":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/users\/79"}],"replies":[{"embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/comments?post=79138"}],"version-history":[{"count":25,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts\/79138\/revisions"}],"predecessor-version":[{"id":93679,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts\/79138\/revisions\/93679"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/media\/79249"}],"wp:attachment":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/media?parent=79138"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/categories?post=79138"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/tags?post=79138"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}