Security researchers have uncovered a largely undetected Mac-based malware that’s been circulating through pirated software downloads.
The findings come from security provider Jamf, which discovered the malware on a bootleg version of Apple's Final Cut Pro video-editing software, which normally costs $299.99.
Jamf first spotted the malware secretly mining cryptocurrency on a customer’s Mac computer. "This particular sample was not detected as malicious by any security vendors on VirusTotal. Since January 2023, a handful of vendors have detected the malware,” it said.
Since the malware arrived through an unauthorized and modified version of Final Cut Pro, Jamf turned to The Pirate Bay, a website notorious for offering bootleg software through torrents.
“We downloaded the most recent torrent (for Final Cut Pro) with the highest number of seeders and checked the hash of the application executable. It matched the hash of the infected Final Cut Pro we had discovered in the wild. We now had our answer,” the security researchers said.
According to Jamf, an uploader on The Pirate Bay named “wtfisthat34698409672”—who has a years-long history of posting bootleg Mac software—is responsible for not only circulating the malware, but also pushing other variants of the malicious code. This includes posting malware-laden versions of Logic Pro and Photoshop.
“Furthermore, we found that virtually every one of the dozens of uploads that began in 2019 was compromised with a malicious payload to surreptitiously mine cryptocurrency,” Jamf said.
The malware itself shares similarities with another sample that antivirus provider Trend Micro discovered a year ago. At the time, Trend Micro wasn’t able to uncover the exact source, but it did speculate the infection came from an Adobe Photoshop CC installation.
Jamf says the malware has been evolving since 2019, when the hacker initially began uploading the pirated but malicious Mac software. Interestingly, the malware contains a feature that’ll check whether the user has accessed the Mac’s Activity Monitor app, which can show CPU usage.
“If it finds the Activity Monitor, it immediately terminates all of its malicious processes,” Jamf said. “As a result, if the victim notices that their CPU is running hotter than normal while unwittingly mining crypto for the attacker, and opens the Activity Monitor to confirm their suspicion, the malware stops its activity and hides until the next time the victim launches the application.”
However, Jamf found the malware can struggle to run on the newly launched macOS Ventura, thanks to new security safeguards in the operating system. The pirated version of Final Cut Pro will fail to launch on macOS Ventura, resulting in an error message. That said, the cryptocurrency miner secretly embedded in the pirated software can still execute.
Jamf also noted the hacker could upgrade the malware to try and bypass the security restrictions in macOS Ventura. “At the time of writing, the pirated Photoshop uploaded by wtfisthat34698409672 still successfully launches both the malicious and working components on the latest version of macOS Ventura 13.2 and earlier,” the company added.
The research is a reminder to be careful downloading pirated products. Bootleg software has long been a way hackers can sneak malware onto computers. The uploader wtfisthat34698409672 remains active on The Pirate Bay.