- Jun 3, 2018
- 119
A new Mac cryptominer was discovered this week, after affected users saw their fans whirring out of control and a process named “mshelper” gobbling up CPU time like Cookie Monster. Fortunately, this malware is not very sophisticated and is easy to remove.
The malware became public knowledge in a post on Apple’s discussion forums, where the “mshelper” process was found to be the culprit. Digging deeper, it was discovered that there were a couple other suspicious processes installed as well. We went searching and found copies of these files.
The malware is mining for Monero cryptocurrency. Here’s a breakdown of its components.
The dropper
A “dropper” is what security researchers call the program that installs malware. Often, Mac malware is installed by things like fake Adobe Flash Player installers, downloads from piracy sites, decoy documents users are tricked into opening, and other such things.
In this case, the dropper is still unknown, but we do not believe it’s anything sophisticated. Everything else about this malware suggests simplicity.
The launcher
A file named pplauncher is installed in the following location:
~/Library/Application Support/pplauncher/pplauncher
This file is kept running by a launch daemon (com.pplauncher.plist), indicating that the dropper must have had root privileges.
pplauncher is a rather large executable file (3.5 MB) that was written in Golang and then compiled for macOS. The sole responsibility of this process appears to be the fairly simple process of installing and launching the miner process.
Continued on source page...
The malware became public knowledge in a post on Apple’s discussion forums, where the “mshelper” process was found to be the culprit. Digging deeper, it was discovered that there were a couple other suspicious processes installed as well. We went searching and found copies of these files.
The malware is mining for Monero cryptocurrency. Here’s a breakdown of its components.
The dropper
A “dropper” is what security researchers call the program that installs malware. Often, Mac malware is installed by things like fake Adobe Flash Player installers, downloads from piracy sites, decoy documents users are tricked into opening, and other such things.
In this case, the dropper is still unknown, but we do not believe it’s anything sophisticated. Everything else about this malware suggests simplicity.
The launcher
A file named pplauncher is installed in the following location:
~/Library/Application Support/pplauncher/pplauncher
This file is kept running by a launch daemon (com.pplauncher.plist), indicating that the dropper must have had root privileges.
pplauncher is a rather large executable file (3.5 MB) that was written in Golang and then compiled for macOS. The sole responsibility of this process appears to be the fairly simple process of installing and launching the miner process.
Continued on source page...