Threat actors have been leveraging pirated versions of legitimate Mac software to compromise devices with cryptojacking malware, SecurityWeek reports.
Jamf researchers discovered that torrents for Final Cut Pro, Logic Pro, and Photoshop, which have been uploaded by wtfisthat34698409672 to Pirate Bay, have been used to distribute the XMRig malware. Further examination revealed three generations of malware used in trojanized the Mac applications, with the initial malware iteration unveiled in August 2019. While the first-generation malware was not intended to be stealthy, the second generation was found to have more hidden files but no persistence in an attempt to increase stealth. Further obfuscation has been sought in the third-generation malware, which only has a large binary with base64-encoded and LZMA-compressed components.
"At the time of writing, the pirated Photoshop uploaded by wtfisthat34698409672 still successfully launches both the malicious and working components on the latest version of macOS Ventura 13.2 and earlier. This seems to be due to a minor difference in how the executable in the working copy of Photoshop is called compared to how the Final Cut and Logic Pro executables are launched. These could likely be restored to working order with minor adjustments from the malware author," said researchers.