Many Mac users reported in the past few weeks that a process named “mshelper” had been eating up a lot of CPU power and draining their batteries. It turns out that the process is associated with a piece of malware designed to mine for Monero (XMR) cryptocurrency.
Researchers at Malwarebytes have analyzed the mshelper malware and while they haven’t been able to precisely determine how it’s distributed, they believe fake Flash Player installers, malicious documents or pirated software are likely involved rather than some other, more sophisticated, method.
Experts noticed that the launcher, a file named pplauncher, is kept active by a launch daemon (com.pplauncher.plist), which suggests that the dropper likely had root privileges on the compromised system. The launcher was developed in Golang and it’s relatively large (3.5 Mb).
“Using Golang introduces significant overhead, resulting in a binary file containing more than 23,000 functions. Using this for what appears to be simple functionality is probably a sign that the person who created it is not particularly familiar with Macs,” explained Malwarebytes’ Thomas Reed.
Once the launcher creates the mshelper process, the compromised device starts mining for Monero cryptocurrency on behalf of the cybercriminals who distribute the malware. The miner itself is a legitimate and open source mining tool named XMRig.
“This malware is not particularly dangerous, unless your Mac has a problem like damaged fans or dust-clogged vents that could cause overheating. Although the mshelper process is actually a legitimate piece of software being abused, it should still be removed along with the rest of the malware,” Reed said.
Based on reports from victims, anti-malware products initially either did not detect the threat at all or they could not completely remove the infection – the malware reappeared after a reboot. Now that news of the malware has spread, security companies have likely updated their products to ensure complete removal.
Alternatively, users can manually remove the malware by deleting these two files and rebooting their devices:
/Library/LaunchDaemons/com.pplauncher.plist
/Library/Application Support/pplauncher/pplauncher
This is not the only cryptocurrency miner delivered recently to Mac users. In February, Malwarebytes reported that a Monero miner had been delivered through malicious versions of applications available through the MacUpdate website.
Related: Supply Chain Attack Spreads macOS RAT
Related: Avoid Becoming a Crypto-Mining Bot – Where to Look for Mining Malware and How to Respond
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Apple Denies Helping US Government Hack Russian iPhones
- Zero-Day in MOVEit File Transfer Software Exploited to Steal Data From Organizations
- Russia Blames US Intelligence for iOS Zero-Click Attacks
- Cisco Acquiring Armorblox for Predictive and Generative AI Technology
- Moxa Patches MXsecurity Vulnerabilities That Could Be Exploited in OT Attacks
- Organizations Warned of Salesforce ‘Ghost Sites’ Exposing Sensitive Information
- Organizations Warned of Backdoor Feature in Hundreds of Gigabyte Motherboards
- Barracuda Zero-Day Exploited to Deliver Malware for Months Before Discovery
Latest News
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Idaho Hospitals Working to Resume Full Operations After Cyberattack
- Enzo Biochem Ransomware Attack Exposes Information of 2.5M Individuals
- Apple Denies Helping US Government Hack Russian iPhones
- Zero-Day in MOVEit File Transfer Software Exploited to Steal Data From Organizations
- Google Temporarily Offering $180,000 for Full Chain Chrome Exploit
