![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2016\/03\/imac-malware-660x370.jpeg\")
<\/p>\n<\/p>\n
Mac malware continues to increase in both quantity and variety. In addition to Intego’s discovery of new\u00a0OSX\/Linker<\/a>\u00a0and OSX\/CrescentCore<\/a> Mac malware, several other active malware campaigns have been observed in June 2019, everything from a bizarre cryptocurrency miner to creepy backdoors that could allow an attacker to log your keystrokes, and more. Let’s take a look at some of the Mac malware we’ve seen in the wild in recent weeks.<\/p>\n In this article:<\/p>\n One of the malware families that spread through exploitation of this vulnerability was OSX\/Netwire<\/strong>, a successor to\u00a0OSX\/NetWeirdRC<\/strong> which Intego wrote about in 2012<\/a> and 2016<\/a>.\u00a0 The other malware family is identified as\u00a0OSX\/Mokes<\/strong>, which Intego also wrote about in 2016<\/a>. Both are “backdoor” malware, meaning that they have capabilities such as logging keystrokes and taking screenshots of an infected Mac, allowing an attacker to spy on their victims.<\/p>\n It’s worth noting that although the rudimentary XProtect malware detection system built into macOS was theoretically capable of detecting the OSX\/Netwire<\/strong> sample, in fact XProtect provided no protection whatsoever in this case. Malware installed via a vulnerability doesn’t get tagged with a “quarantine” flag, which means it isn’t on XProtect’s radar, which in turn means that the built-in malware defense in macOS is essentially worthless in such circumstances.<\/p>\n Full technical write-ups on these backdoors can be found in a series of articles by Patrick Wardle: Burned by Fire(fox)<\/strong> part 1<\/a>\u00a0and\u00a0part 2<\/a>\u00a0(about OSX\/Netwire<\/strong>), and part 3<\/a> (about OSX\/Mokes<\/strong>).<\/p>\n Mac users can protect themselves from the Firefox zero-day vulnerability by ensuring they’re using the latest version of the browser. To check for updates, click on the Firefox<\/strong> menu (next to the Apple logo menu in the top-left corner of the screen) and select About Firefox<\/strong>.<\/a><\/p>\n The pirated software comes with a parasite: cryptocurrency mining software that attempts to use your Mac’s processing power to make money for the digital pirates.<\/p>\n What’s particularly bizarre about this unwanted miner is that, rather than the mining software app running as a simple background process, the miner runs within an entire Linux operating system inside of a Qemu virtual machine. In other words, while you’re running macOS, another operating system boots up inside of macOS and starts running cryptomining software. It’s unclear whether the pirates were just lazy and trying to come up with a cross-platform solution that took little effort, or whether they were trying to use this technique to hide from antivirus software that might detect the miner if it were running natively on the infected computer.<\/p>\n Intego detects this threat as OSX\/LoudMiner<\/strong>. Full technical write-ups about this malware campaign were written by Michal Malik<\/a> and Thomas Reed<\/a>.<\/a><\/p>\n Intego has also added detection for OSX\/NewTab<\/strong>, malware that attempts to inject tabs into the Safari browser. The oldest known samples date back to April 21. Some of the file names are clear indicators of deception, including Related SHA-256 hashes for this malware include:<\/p>\n These additional VirusTotal searches can show more related samples: Mach-O binaries<\/a>, zip files 1<\/a>, zip files 2<\/a>.<\/p>\n Notably, none of the approximately 60 antivirus engines on VirusTotal is currently detecting this malware. Intego seems to be the first to add detection for this malware family.<\/p>\n Related:<\/strong> Intego discovered two other new Mac malware varieties and published about them this week:<\/a><\/p>\n OSX\/Linker: New Mac malware attempts zero-day Gatekeeper bypass<\/a><\/p><\/blockquote>\n\n
Firefox zero-day leveraged to spread OSX\/Netwire and OSX\/Mokes<\/h3>\n
![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/06\/Mozilla-Firefox-Quantum-logo-high-res-150x150.png\"){kind=logo}
A zero-day vulnerability in Firefox (CVE-2019-11707<\/a>) was leveraged by attackers to spread multiple types of Mac malware.<\/p>\nLoudMiner aka Bird Miner found in “cracked” VST installers<\/h3>\n
![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/06\/bird-with-megaphone-150x128.jpg\")
Two research teams independently discovered a strange cryptocurrency miner that was being distributed in pirated (“cracked”) copies of VST audio software, which appear to have been distributed through a blog site for several months\u2014perhaps as early as August or September 2018 based on Intego’s research.<\/p>\nIntego discovers OSX\/NewTab<\/h3>\n
Government Forms Online Installer.app.zip<\/code> and Quick N Easy Recipes Installer.app.zip<\/code>. All samples have an identifier of com.NTAppStubInstaller<\/a> and were digitally signed with the Apple Developer ID\u00a0cosmina beteringhe (HYC4353YBE)<\/a>. (A VirusTotal account is required to access these links.)<\/p>\n55da84cbe3131aa67a50a8a286e24aeb6f8fbeb765e72f6b01ef474e57e33282\r\nb3ef491a1ad3bd5e1bce13324af3d752afde8cbd33582fe757d7242c00216c66\r\n0e020581f1949efa19210c952c733fb6786f500d79018a9249fbbbde8ea5eb2a\r\n0e407472a382baaefbf59727f23e2fc232a816a27e552c94fd2a87e047f1ae81\r\n20c0a448b047a277364700ed30199da215cbf607b18f647fbf2b54ede8328f56\r\n315a3d80658282d60d300f63143762fd6f224d54e4147ef2e54f3e7e01a26f92\r\n444a00c67c9e64ff52dcb6945e0c52e30ca7d2661ba1f712ac15ebe0e5439261\r\n581bc362dc2409a786bdf44d5c44726ffd2506ead80a5da85463ccb214262f02\r\n75246e4ed536d6a34f3fa55f5ed3d5db57bb751c5bdf6d62e018fcfee5358e73\r\n8133e9c221b6dca42a08eed96b447155df45669edec53b8424ea1bedbe502829\r\n9633f16680bdbcfc55148ec49e8cc5e21839411ef23dfce022d356af9dd4b6df\r\n9ca3d6014d4691dd059acd56fde6a5f253ca0a90d4b4233f8b40f702cdc18671\r\nb6b44064eaa032d1b17ab6e3321d7193cd7d59e029a642c7bc22799e46d71ead\r\nbe2fe75df4679639fd42e01c2cfb8bfb4a3fbb496453d59bdcc3c8fd04161fcd\r\nc59fe3a145e3177ef9aab4095fea66e663827611cf3c6fd851da781458f7e637\r\nc7a58b136937b89287e8abca9ef589909d7dc3f51dd0f94547a5266473c8ee0c\r\ndf6d98870aca6607bc9aee774efbdb9e84834a9f718e03cc5d2dba21375b9f91\r\ne06cead4d754b0e990c5024d28d43500ddb241e79065ffb9b8a695f94c97d6a5<\/pre>\n