Hackers using pirated Final Cut Pro to install cryptominers on Apple devices
Hackers are using pirated versions of video editing software Final Cut Pro to install malicious cryptomining software on Apple devices, according to a new report.
Researchers at device management company Jamf said they have been monitoring a family of malware that has resurfaced over the past few months and has been operating undetected.
Jaron Bradley, senior manager of MacOS detections at the Minneapolis-based firm, told The Record that malware disguised as or embedded inside of pirated applications has been an issue since the early days of software pirating.
“Attackers see an easy opportunity when they don’t have to convince users to run their malware, but rather the users come to them willing to install something they know is illegal,” he said.
Final Cut Pro, a popular suite of video-editing tools, costs about $300 for Apple users.
“Apple is at a bit of a disadvantage in this particular scenario as users who opt to run pirated software have essentially already accepted that getting applications for free is worth the risk of whatever threat the application may pose,” Bradley said.
The cryptomining tool – named XMRig – can be legitimately used to mine cryptocurrency on one’s own devices, but is adaptable and has been widely abused by cybercriminals.
In the examples Jamf examined, hackers modified a version of Final Cut Pro to execute XMRig in the background. At the time of its discovery, Jamf said the sample was not detected as malicious by any security vendors on VirusTotal — a platform used to catalog malware. Since January, however, several vendors have begun to detect the malware.
Jamf researchers noted that most of the malware that typically targets Mac operating systems is adware, unwanted software designed to put advertisements onscreen, typically within a web browser. The cybercriminals profit when victims click on the ads.
Yet in recent months researchers have found more instances of cryptomining targeting Mac users. Most Macs come equipped with powerful ARM processors which make them attractive targets for the malware, Jamf researchers said. Miners perform complex math problems for the chance to receive new coins such as bitcoin or Ethereum.
Under the radar
The researchers traced the tainted software back to Pirate Bay, which allows people to download content and programs illegally. They saw that it was uploaded by someone who had spent years sharing pirated macOS software, and much of it was among the most widely shared versions for the respective titles.
After examining each file, the researchers found that all of the person’s uploads since 2019 were compromised with malicious cryptomining malware.
According to Bradley, what jumped out to his team the most was the inability of antivirus vendors to detect the malware even though some of the details around it have been shared in the past. The researchers were able to pinpoint specific changes in the cryptomining malware that allowed the hackers to dodge detection.
One newer feature is that it runs a script that checks every three seconds whether the device’s Activity Monitor is active. If it finds that the Activity Monitor is active, it stops all malicious processing. The goal of the feature is to make sure that even if a victim realizes that their computer is running hotter than normal and checks to see why, they will not see the cryptominer operating.
Later versions of the malware also only run when the application is launched, allowing it to hide activity until the victim uses the specific application.
But Apple has created security features to combat tactics like this in newer versions of its operating system, according to Jamf. With its latest operating system update — macOS Ventura — Apple created a tool that checks whether apps have been changed by unauthorized processes, even after the first time they launch.
This is a departure from past versions, where the operating system would only perform checks like that when an application was opened for the first time.
On macOS Ventura, the changed version of Final Cut Pro does not even launch, according to Jamf.
“This discovery presented a rare opportunity to trace the evolution of a malware family. What started as a rudimentary and conspicuous scheme had iterated through three distinct stages of evolution into something with creative evasion techniques,” they said, adding that only samples from the first generation of the malware family had been reported on.
Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.