Malware

Cryptojacking Mac malware “Honkbox” found in pirated apps

Posted on by

Over the past couple weeks, multiple reports about cryptojacking and cryptocurrency-stealing Mac malware have surfaced. Apple calls this Trojan horse malware “Honkbox.”

Let’s examine what we know about this malware, and how to safely remove it from infected systems.

In this article:

What is Honkbox’s history, and how was it discovered?

Early last year, on February 21, 2022, Trend Micro researcher Luis Magisa wrote what may have been the first public report about the malware that later became known as Honkbox. Magisa described the malware as the “latest Mac coinminer,” noting that it “utilizes open-source binaries and the I2P network” (more on that in a moment).

On February 23, 2023, Jamf researchers published their own research, calling it “evasive cryptojacking malware” found in pirated Mac apps. According to their report, Jamf had been tracking recent developments of the malware family for a few months prior to publishing their research. Intego had also internally analyzed many Honkbox-related coin-miner malware samples months prior to Jamf’s write-up.

New variants of this malware initially came on Jamf’s radar during routine threat hunting, when they noticed that a Trojanized version of Apple’s Final Cut Pro included XMRig, which is cross-platform cryptocurrency mining software. (As an aside, Intego has previously written about a PUA in the Mac App Store that utilized similar mining software, XMR-Stak, in violation of Apple’s policies.)

The malware also employed Invisible Internet Project (I2P, or I2PD) technology (similar to Tor) to mask its bad network behavior, which included downloading payloads and sending any mined cryptocurrency to the malware maker. Notably, this is—to our recollection, and that of other researchers—likely the first Mac malware that has leveraged I2P. Both I2PD and XMRig are open-source utilities.

Jamf’s research team was able to locate the malware sample in the wild via a mirror of The Pirate Bay, a BitTorrent file distribution site. The same user who had shared the pirated and Trojanized copy of Final Cut Pro had also been offering a number of other apps illegitimately since August 2019. Some of these Trojan horses have included Apple’s Logic Pro X, Adobe Photoshop, Adobe Illustrator, Adobe Zii (a product activator), Ableton Live, as well as CleanMyMac X. SentinelOne’s Phil Stokes points to a November 1, 2019 Reddit post as the first known public request for help from a Honkbox-infected user.

Over time, the malware maker had found new ways of disguising its malicious behavior to better avoid detection by common antivirus software, such as the following example. Because crypto-mining takes a lot of processing power and can cause a computer to slow down significantly, the malware developer added a function to watch for the user to open Activity Monitor. Then, if the malware detected that Activity Monitor was open, it would instantly terminate the mining processes to prevent the user from figuring out what was causing the system slowdown. And, just in case the user were to use a third-party process monitor, the malware also disguised its processes in plain sight by naming them after legitimate Spotlight system processes, mdworker_local, mdworker_shared, and mdworker_watchd.

Following Jamf’s report, Apple added signatures for this malware to XProtect, a bare-bones “anti-malware” feature built into macOS; Stokes noted that this was the first time in months (three months and twelve days, to be exact, between November 10 and February 22) since the last time Apple had updated its signatures. (This, by the way, is just one reason why it’s so important to use Mac antivirus software; Apple’s built-in protection is minimal, incomplete, and rarely updated.) While Trend Micro and Jamf hadn’t given the malware a unique name of its own, Apple first called it “HONKBOX” in its signatures, with three sub-variants: A, B, and C. Stokes did his own deep dive into the Honkbox malware, published on March 1.

What does Honkbox do to an infected computer?

Honkbox malware is distributed via Trojanized, pirated software. Its primary purpose seems to be using victims’ (pirates’) computers to mine for cryptocurrency on behalf on the malware maker. Cryptojacking—that is, unauthorized use of a computing device to mine for cryptocurrency—has a tendency to cause infected devices to slow down significantly. Cryptojacker malware may also cause devices to overheat.

Early variants of Honkbox established persistence, meaning they could relaunch themselves after an infected Mac had restarted. More recent Honkbox variants are stealthier, opting to only reactivate when a victim opens (or attempts to use) the pirated software. The malware intentionally tries to hide itself by using Apple process names, and also by suspending its mining processes whenever the user opens Activity Monitor to try to figure out why their system is running slowly.

Who created Honkbox malware?

The Pirate Bay user named “wtfisthat34698409672” is one known distributor of the malware. Given that Honkbox’s primary purpose appears to be cryptomining on behalf of the malware’s maker, it seems very likely that this user either is, or is a close associate of, the malware developer.

Mac malware developers these days typically code-sign (and get Apple to notarize) their malware to ensure that it will work properly on the latest versions of macOS. One Apple Developer ID that signed a variant of this malware used the name “Mucke N.S. Doo,” which is probably not a real name.

What else is noteworthy about Honkbox malware?

In macOS Ventura, it’s more difficult for a maliciously modified (Trojanized) app to run. Many of the pirated apps will refuse to run on macOS Ventura, although the malware itself does successfully run. This should seem suspicious to the user, but by the time they realize they’ve been duped, the malware has already started running on their system.

Users of macOS Ventura may see a dialog box similar to the following when a Trojanized app fails its code-signing check:

“Final Cut Pro” is damaged and can’t be opened. You should move it to the Trash.

This file was downloaded on an unknown date.

(Move to Trash) (Cancel)

Interestingly, the B and C variants do not install methods of persistence, meaning that the malware won’t automatically launch itself again after each reboot. Instead, the malware maker opted to make these variants run only when the user launches the Trojanized app. Due to the aforementioned changes in macOS Ventura, the malware will be active for much less time on Ventura than when run on previous macOS versions.

The fact that macOS Ventura users have somewhat increased protection against harmful app modifications is one of many reasons why running the latest version of macOS is essential for your security.

As mentioned previously, Honkbox seems to be the first Mac malware to leverage I2P, the Invisible Internet Project, as a means of hiding its network traffic. Magisa noted that in years past, some previous Mac malware has utilized Tor (aka TOR, The Onion Router) for this purpose, including KeRanger and Eleanor (2016) and Dok (2017).

How can one remove or prevent Honkbox and other Mac malware?

Intego X9 software boxes

Intego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9, can protect against, detect, and eliminate Mac malware. Intego software detects components of this threat under the names OSX/Honkbox, OSX/CoinMiner, OSX/Miner, and OSX/Agent.

If you believe your Mac may be infected, or to prevent future infections, it’s best to use antivirus software from a trusted Mac developer. VirusBarrier is award-winning antivirus software, designed by Mac security experts, that includes real-time protection. It runs natively on a wide range of Mac hardware and operating systems, including the latest Apple silicon Macs running macOS Ventura.

If you use a Windows PC, Intego Antivirus for Windows can keep your computer protected from PC malware.

In general, it’s always a good idea to avoid downloading software (or other potentially pirated content) from torrents. See our related article about how torrent sites are a malware cesspool.

Note: Intego customers running VirusBarrier X8, X7, or X6 on older versions of Mac OS X are also protected from this threat. It is best to upgrade to the latest versions of VirusBarrier and macOS, if possible, to ensure your Mac gets all the latest security updates from Apple.

Honkbox indicators of compromise (IoCs)

Magisa and Stokes note the following file paths associated with Honkbox malware. Note that the tilde (~) indicates a particular user’s home folder, for example /Users/admin.

~/.i2pd/tunnels.conf
~/.i2pd/tunnels.d
/Library/LaunchDaemons/com.ableton.LiveEventd.plist
/Library/LaunchDaemons/com.apple.acc.installer.v1.plist
/private/tmp/com.apple.acc.installer.v1.plist
/private/tmp/i2pd/._pid
/private/tmp/installv3_md5
/private/tmp/installv3.sh
/private/tmp/lauth
/usr/local/bin/com.apple.acc.installer.v1
/usr/local/bin/com.adobe.acc.localhost
/usr/local/bin/com.adobe.acc.network
/usr/local/bin/liveeventd
/usr/local/bin/liveeventd.sh
/usr/local/bin/livelocalserviced

Files with the following 177 hashes have been identified as affiliated with Honkbox-related malware campaigns:

0054a66081cc686b1980cbbcf8f4c2b792fa7d50aa986baa79a367c57cbe7c96
02b3c088f88f908e1c69d88cd9427087e3b256a0654a83eb8141437ba7f052ab
035b75295e8b7286c2bd9c04f53a51708b4cb7fe3825787778244de4d437a8ae
04d8a419e1bf634e0247efbc6308a5a8355531044a2c76be09857d0d6fafaafa
066bf1e7137fa1e0733fee274fdf7480cdf5ff8cfceb0164047dc8ee91a15a00
0b15645b227245e4f5baf53a4e6899f8bbfd42ce2c53a7fea83a746d12411006
0b9a3b00302faf3297b60fff0714f2db87245a613dcd9849645bffa7c4a3df9b
0c3f47c4877d1f4079c4aa850b28a3780728a6ca94b6d3f7385ecd5df4dc9e42
0d0e8e3316db0e1ed3d0fab331cff9a67bfb18fd17e0210042edd3823136b6f1
0e41d3e3b464f3fb8c140340e6a85a376c6c17499dd6bbf7de5940d401b9e71a
115316f7a3a1e25643dc0a837ae5fd0abf36cd5f61b03f0074e72d8c0d148bfe
1153b5abea8d93b45a4a4bf704e2138fca50d034a4bf440147eed8516cd4bf2d
12f416e67d9cd74ec3488842b9bf61092f35c0ae4de467afaebba2cb3933fc26
1326f82c76c7007f5243d2bb7c458fcda359807e6ca26b71f1196604b2f30176
1ba39220d81bc327b13be4c2b788c79ae51a2db9a890c336701f8724cdf01538
1c34442c74b6f31c522c2901b364a8052d48031ad75b95f026c64e372a4fce3d
2272273f8cc692968a885d5d974e6658400fefdbedb03f061a61bd6839f963cc
24ace87331051d7d2d83bb9a89781847f47b4c00789c19b5385fce94705c3c40
257a431cc27a8aa65f5ce23eaba320dae1780640ad1012ff70c60f2f6efdf2b3
25e13d453ce5ed969beba9c63cf04fa9e1f4bdd762cdaa3ca5b47c40ae4e22d6
27158886ab064880aa5d5196248f2ad4b20b38bbb1321f72bca17351165ea3e5
2729644adea3bc14f6654d2c461cc29a6751216ce79442b6a17d90fe093235c3
28d2825b7ee97c8f6a1c6acac6fa6de28f35b10781abee65321ba0f53f9d401f
297f7887723509e999ed9c0635fbc70d7806e0928ccd4ed993a8c0bd2f0a0d1d
2af033ab24ec9d11729efb465aad8843d1ec0eb6c248967456adc83db7407251
2bd0400003bf577336a73d56ffa3aacf8902be557fddadb5425fb114ca180d9b
2ce3bea5646f9b66d407402d4891c7866d4dc3583809f4d669eda0c72a34e44d
2d604cf677b05ef1c0d1ee0758f33e8bbb4a2b1e5e9385c32ec388ddd19f5ebc
2d71c31260ffb8199b09c20a875baeed7192a84352c4cdd3a9e9c550735c7763
2f77fe48e97b7a81108eda70e4129f9dc8118fac99dff71ab7a998b6d45b55c0
3028436248053280a93c3bedbefa65cacaf6e805e98a9bde09d858db974aab09
317264e44dd520d6af53f6d3bcd0e2b2b9e595f59255d315a3a4244f069b7dd1
33114dd11009871fa6ad54797b45874d310eed2ad2f1da797f774701363be054
33a6c6a1b8cb3e8d5e3b06d75e5905f4a8628eae7382db488d9060ad06f4f28b
357c473cb0c1eb3fd228b0a8dc51fe3c29f862c5e1c497727f8274fce5bd822f
363f0367ab91805114cfe194b70bf75c983e3d1ec4aacec7dfa9c7aa3e375f05
378bd56fda7da307ff46480db9593bc5766e58668d200336074b30f7ccab90b3
38b45ef33a777dd911f1d74ea4068f1cb128674359083c3b0be585de3edbd3ac
3ca56e4330e1adb2c537105fb8ebcb2b540e8d83c3f3d7e09dd5e46f8fde2e7b
40c095d178179e9ee2fd43aa9644bcfaa49b21b9dfa27fd7cf1f73eaa7a6de65
416997b3db74871a6875bf06d44fa40053a37d465113592a4cc2ca2e05ead135
42323779c82716566c979f248262a801c9a684e183be51e5aeeb124168373ee3
42f982cde3d7aa9c5b86abe6c94119f7e4351fe84fe5ede41a1f1f2e0ab45be0
47e254aa7feb62a0633ed2a1806046cf3134c1277684a1fc8ea2e3dd6caa3795
4f81a3be98daf39ff27d3db7f9d9155ba564f7ad8f5e7f22600ad2326b29d8d6
51fa2a1a1b169eaf51c473ea5d70bb1900db85cb2d8734913ec7f918a25e3f11
5585da2d7c24727714cf7521e078a8571fe8d33d3b547bb3b527db2ad40a7fdf
55a095ff66a42f9039007c79edb989be253e96fb451a97115d2eb20ee6276a5c
55e67f84da909a422033ad25df92a53fb1255c29b4baaf7c84b43429f07a1909
58bd46dfb06afddbc22d0ef49c47c0786d7d98e93c7db1160f5bd49a7fa2147c
5c3d0bbb99e120adf610537fbaf6f2ba28d7e64b69ce7229bc0a95986d41a49b
5daa833fbea1ae715a3fc2d73702538d3fe0f119763427c404102deff7385f58
5eb458be93f0580033277668346a0186b8a275d0a375bae32bef377dc1b4f229
5eed44c7c5b7e909234db83526d2f5bfa5dfcdeaaf25543fa2254ba5f06b4c71
5efac1774453cb2085ab37ae273a2b678ec96e8d955f5c9508ececf10e99cbb2
5f951439f639b2373c83c30f6375978d0bd43a9ea0088ecd8b8c92cb6875e0cb
5fc9cf36d323a7bdb097c2810c8e420fa203ca2e4b2767a0a975455960be10b5
60b34b8bf921b0e1eefc728413e1fb8c22afde5065e6a1b5e0a61a2e254074d8
61c2ff0533bc92b409d135aab64e79390a6fa3f8307bee5ecec1f243c85521f1
61e43aafdfe722d60411993406c8f6bcc4ce313ff55e2da0961fe64d835b66fd
68fbd79ab1ee9abfffc998429c9fb626f3a94e531f14a3d4176673f1708d2e36
69f18b2abd0a213c5e1e18c6de2fc299f6e997c4988847bdf74918438fcc5ad4
71135661f2993363083768c8d1cb070bbdd9299f57b4d06197ebfc2c534847ce
731cf0317f409c5e23411efccc94fe8ebd897f625da300ccb98ad7ff4a12741c
738c7536ff7dbd95161517658f5438b5f9633ce9baef423a629ea7057a1e0c1b
7468232b6d3c4ca9555fe3be5d1a4d4764c57c41a7a78a8ceb71f2c5189abb74
7606c10c2cfdf9aabd81306a2805d0f1e41ef63a6809ef1f7d7913d1dfa21039
7be2a727d19c12b1bc07684f242214e5be3504db8d975aeec3d6f6f41c20897a
805669554e529381ac8c113e54932151dc3c2ef14fcb3bac47ebebaa62d2b108
810bb73988dc47558b220047534d6dab9a55632c1defa40a761543ebaaa2f02c
82633f6fec78560d657f6eda76d11a57c5747030847b3bc14766cec7d33d42be
845ef90acc34abfce89e3e630265f23c03581918d30256c9e3c3d65250464933
8507e76362664fe2ed9c9407e237fed900881472abd5fbbaf88d772268836031
85bc3d47a36469146f38a58f4d282b71acb16063600a58e3feb0fece933ae860
8604a10bd97099e8e5539eff05c49bc518a774bf8e7c4ef6c36d902f7fdaeb6e
8639d8928024c4b7786895660426431a987353d505472074575ff2c50edb9752
8683f22a045b53bf32cedd8ca815f784682903459d7991f9008aed5d9452a4d6
8a41a5633a485be7da1ae9430eca5bd94c0b1f3d21b39415e71024c78b31ec85
8bf8227574aa06838b00bf437bba47a6189f9606d21ee91838f9e8aceed8121a
8d78cf74f0ae3626443a78ae750c2cbf8659b1556e653fdecb769149d7637f17
9104cd6bb30916ed9b4f1ebb213cc030e8bb5667b69b823979b5d2b4dd146e31
9403c3eaee3a0d1f32e3909ce3030d8349c71f35dc78c4508fe7a44c4e55894f
950b8f52e2c62a9165f9d07abc8caaf45be12d1d059b984e344637f4f808262a
9518906dc416de6c6a5d17479244cf698b062c1d6b4425d86ee6895ce66c7c39
95756b979d11c7b8f80a952d9b64de1ccce2da256f8ebe639a804a2c2ff66065
9a8ed6ebec5d0a79e0aad8fdb229f3baa42701d87104f0f94a6bd9527797061c
9bfee899de10e0bafa3aeb3e0ee554a42de8e3a9a176e8fae5de49aaca6c2541
9c18f0fe4b87bd9c595a5374e3ed670a93e567b584b6a3592b18051a1793c2ab
a22b48ce098ad4b082c4f4de78c708294e08212ab8dfd818642f7922c8e794c3
a2909754783bb5c4fd6955bcebc356e9d6eda94f298ed3e66c7e13511275fbc4
a2c6d699834eb992b11778a8d4595e2563b2ffa9d631936baaa0c0e29c504760
a52c06bcc1f4289013f01489da82b453e687a74af13e59077565a614494ea435
a5b10a483369a040f9638bdbf0329a279bc161c617828844e8a9be7bec959b03
a892c8e0fa01f32ad96ccdf9b9a7fbbe65b7301b0cf8cf99add2eef0eefb4277
a92ca3b2e8a4f9a793e2499c5fb4ff1696936f12117f6fe2233786a04d21e107
ac5b06b7db12c0392d3adc1838e307ab0c9b14c89e596cad1b6d47a9e4aee18f
adf7c5d9298cad65c66b21d801b37ca416361dbecb5d8ab91a294c4223272dff
ae4abadd15e854c0a2c5e6c8180d567f37c1c97adc4520494ea0f15323c764df
ae66f7568a0f724eaa850cf7f405bdcc2ac15062d50380a30db553b21ef535c9
b1a11ef27ca5822f89400145f9c726b03fb7328d18f57d5d676fa2ff31eb17c1
b1fff5d501e552b535639aedaf4e5c7709b8405a9f063afcff3d6bbccffec725
b2e135c6c6c3851599b436c172f84a301ad9646f7f4a4ac6c268c135925cd538
b350c864eb3d896d3b3b0a9992f79b6a4acf1f565e2fe612af8b172253573c58
b949d5246370280cac93db9cfe9587b25c7e1e5df5cd955ba647708a7c0e474f
ba81cca31a45f01b9ae6bf704b7af7c26fb3e882cfeca1264f79ac276e3ee783
bd8f4523409538759df622d0fc9105e732d3b8becfe4bb84a9a0c1bd920ac12d
be1bb6d2b1e327aa80ac75d85632f04293b8402d27440e18f2233640962e1a4a
bfa9f7b8014efab4143fb2a77732257144f3b804ee757fb41c9971b715da53d7
bfea3de39cf1d872c6616222b567c92d9bc78b4fb3bda94e1274b75693a8398f
c0c4826e513239094c63382b5a726e056ae7f7759abc56bf807748ecfbfbb284
c4c4f074d4a6e7f10162d18105f564741e39e939b25c6af22e9f4c24746d7d1c
c5d7ee587e364b28a8b625c33b2a0ac55c7b48b865217de17235551e242314d4
cbad9d6fd5b7d2e8860735e02f3bc54b9fc0d044df508f2293a60f2741ed7a66
cc483d9aa67048f7249f970337e329280b5ceb05053796ea44476e153e392686
ce6c16fbbdc0971c19255d5e865d67e729492891808e80c9001e91872cd78885
ceb3a83a99bed19916bf941466d6ace86d4cbab333feb70908dcd5a59e1ccc74
d33a59e09b1747998e9276f1ef8067cf3c401acf1ecc05e979bb60c3531d7b7e
d4813760fb9b79d811132044628b61d5fc5b0a58dd31f0d183e40180c184a0a9
d481689c0d11c00a34812516b79316b25139b5c1ef11855b36c0a9ea89d19efd
d7ec99f0d019f476f82341dba3c2af10f71628f9ab664d05ab007fe420e0cdb1
e72ac7d99fa1f7c43b88058df8396965b4fa7089264a51950c94d53efb297558
e97758623aea98e0733b43666b5f112e40edac7ee1f9a916ca83581e0187abae
e9e2b8684c966d65e4b0d3db7956344b0291c99b2473a4384d4a4e59a6f052c2
ea28251de6a09d19f8cff7fe366c35d3826c10544a3a45426369aaf9e4b2050d
ec606d39fdf5359af96e40cfc1f226b70e7ee2ff68925eb7ad71f20c395dbab1
ee0a287d2923c57ac96e30f0da015f1e01c93c5c806aeb91e680c56aa6df1266
f24da6301f95432a63eb98f8954e1da6f7275b73d0bde76052d66a6d2e587df5
f5e57974a654c196e62e23d9282b21d5e41c8fbb0dd3a072316d4f3da3b1b5ba
f6c55df67f126d39424c087cd359d7cb30a796b637b8a2fb9f409c9c98fcde7d
f7106ee5c184bd764b94faba0d926fce48654320456fd7fd30751c56bd9f707b
fa63f4b05c71e8f02275b590a560c24740ca88268a1a62cd80a9174e188f484f
faabe528449d14515ae25c8a8e5abd7d76e6b9acf25635929dea031e30db831c
fabe0b41fb5bce6bda8812197ffd74571fc9e8a5a51767bcceef37458e809c5c
fcc902dd3ae5a1413607c3493617f33a4b2dbf03f861c18afc32821b8d47da81
fd947019a2b3269d5ba1fb7a1314e4030cfd2f3dbb3049b4f7495f7966a493c4
fe3700a52e86e250a9f38b7a5a48397196e7832fd848a7da3cc02fe52f49cdcf
ffc8cc1badc17c408b5e0e7045abbefa05ac2200c057997136880a8695f5656c
048a93a696f1bf0bdf6f6e3506d65d21a4a9f681
05b7e1864b7b570a339c8072830cdd9bcbf21d1a
0cc8e03a08baa73379ac6c55cbb18fa78b87923d
0e73071ceb9d2481361777b33b8443ec0acb0793
11e4f795551e6db0fe9a9c52eec35f134b089478
11ee7a59ecd287628ff251b435777f6d4429e40c
140790186d0c60a604c5dd9f9d2c8dbc500da1c9
163d9ce53deadd54ad50d7d0120b5db550724689
33d79b8ee94f7bd0a542863cd5a8926d8e0263d9
3a714063188b24f0392c163d7910be00216a5f04
4f0ba59e2ee80ff854bca33944f825d4c8cfe23e
5aae6e00b3ab0b32a8c75a2952674d7665b3f705
5eb0e95aa6cc68ec05103561b02d38d4f69e4980
62ed66c1835ef5558ce713467f837efde508d5e4
699da2b8d35f344121d93a74adf89349d3c8d922
6b987ffc3fd6a2bcfb931426be4118cd943737da
7312b319b84be6bde845b10ea61619c33473f784
7da20852d79f7443b88449e8ed18e092c2aaa3bb
828fb69b80e60de6f6206fd63b496cc0923082f4
8e4dff96e1740764d60fbff8cfae8c673f1a7a3f
901a08aa9996fa95e4a844c24eb7b81da0b52923
90835a1173e9ed414e8240d0e14acb13f73f642f
9e04ca30e6ae20e8d2bbf2772a93145bd4b5b8c6
9e387d79fd6412715a5a4bca02b7e27a08299c4b
a72b548ca570d8c74ed4c465716c4e37328f9bc1
b48927641b53e363d7183fe7faaaa7be8b01cec9
b5dd15e765ed5839a7d2c16c50e6cf3334c4b894
be30f974111ad50312f654db9e040c6ab99d054c
c3d062bc3fa3b4ecfc68e69a7dc26d9e0ac56538
c5b34662f22f35f3995144b24015309bbe318cd9
c64c21d2e08cb8a28e31c4d883a1e75fd1c7851b
c8d230830d0912236c48c31ad11b93707088ce9f
cc9afb9efea37aee31cd74fb064de4b732fb84b3
d4d1c97c5803162e452c79811d61e1487c9cfe62
dfcf0b6af4593f32060176768164702f45cb556b
e857a9c520402ccc6abe3244c1e93ac9e2a6ac3d
eb3a1808bd24026314bec69caadbc882f1976982
ebd417f4ab9e7bb6deaacab9de1611df67908317
ecffd9553c67478a55f7303f6cadf356101f9216
f35bddfbb82ae1b137cbd454bc18f2b859cc5882

Note that the first 137 file hashes listed above are SHA-256 hashes; the corresponding files are all available to security researchers via VirusTotal, except for one from Magisa’s report, namely c0c4826e513239094c63382b5a726e056ae7f7759abc56bf807748ecfbfbb284. The next batch of 40 shorter SHA-1 hashes were included in Jamf’s write-up but were not available on VirusTotal at the time of this blog post’s publication.

Apple Developer IDs including the following have been used as part of this campaign:

MUCKE N.S. DOO (XFQL4XQZYW)
F2P859A6Z6

Command-and-control (C&C) domains and IP addresses that have been associated with related malware include:

banana.incognet[.]io
download.xxlspeed[.]com
i2p.mooo[.]com
i2p.novg[.]net
i2pseed.creativecowpat[.]net
netdb.i2p2[.]no
reseed-fr.i2pd[.]xyz
reseed.diva[.]exchange
reseed.i2p-projekt[.]de
reseed.i2pgit[.]org
reseed.memcpy[.]io
reseed.onion[.]im
reseed2.i2p[.]net
thepureland[.]io
162.55.188[.]117
167.235.233[.]5
193.168.141[.]107

A number of Dropbox URLs have reportedly hosted related Mac malware; these URLs are no longer active:

www.dropbox[.]com/s/1qo9cozv8srnx2x/PureLand%20Launcher.pkg?dl=1
www.dropbox[.]com/s/37vvqyjx6qi43ex/PureLand%20Launcher.pkg?dl=1
www.dropbox[.]com/s/3yivn8j36ramnvg/Pure%20Land%20Launcher.pkg?dl=1
www.dropbox[.]com/s/tmfj1iemicvu6t0/PureLand%20Launcher.pkg?dl=1

Network administrators can check recent network traffic logs to try to identify whether any computers on their network may have attempted to contact these domains, IPs, or URLs, which could indicate a possible infection.

Is Honkbox known by any other names?

Prior to Apple giving it the name Honkbox, this malware was mostly known by generic “CoinMiner” or “Miner” monikers.

While investigating other recent malware campaigns, our malware research team observed that a cryptocurrency stealer malware family that’s being called PureLand (or Vakksdr Stealer) matched our existing signatures for Honkbox. Therefore we have realigned our detection and consider these recent PureLand samples to be part of the Honkbox family. The lists of SHA-256 hashes, domains, IPs, and URLs above includes some related to PureLand. (Stokes initially connected Honkbox and PureLand as well, but later backtracked after Intego published this report, so this possible relationship between the PureLand and Honkbox families is disputed.)

Other vendors’ names for threat components related to this malware campaign may include variations of the following, among others:

A Variant Of OSX/CoinMiner.AC, A Variant Of OSX/CoinMiner.AD, A Variant Of OSX/CoinMiner.Q, A Variant Of OSX/CoinMiner.W, Application.MAC.Miner.AJB, Coinminer.MacOS.MALXMR.H, Gen:Variant.Trojan.MAC.PureLand.1 (2x), HackTool.XMRMiner!1.ADCC (CLASSIC), HEUR:Trojan-Dropper.OSX.Agent.gen, HEUR:Trojan-Dropper.OSX.Agent.m, HEUR:Trojan-Dropper.OSX.Padzer.e, HEUR:Trojan-Dropper.OSX.Padzer.f, HEUR:Trojan-PSW.OSX.Pureland.gen, Honkbox_A, Honkbox_B, Honkbox_C, MacOS:Agent-JM [Trj], MacOS:Agent-JQ [Trj], MacOS:Agent-WN [Drp], MacOS:Agent-XI [Trj], MACOS.HONKBOX.A, MACOS.HONKBOX.B, MACOS.HONKBOX.C, MacOS/CoinMiner.A, Malware.MacOS-Script.Save.e4825366, Malware.OSX/Agent.ctche, Malware.OSX/Agent.jfggl, Malware.OSX/Agent.zobat, Multios.Coinminer.Miner-6781728-2, OSX_CoinMiner.PFL, OSX.Trojan.Agent.5V7AH3, Osx.Trojan.Coinminer.Bgow, OSX.Trojan.Gen.2, OSX/Agent.CJ, OSX/Agent.G!tr, OSX/Agent.gixtd, OSX/Agent.wguen, OSX/CoinMine-BU, OSX/CoinMine-CS, OSX/CoinMiner.bdmlu, OSX/CoinMiner.ext, OSX/CoinMiner.pjtut, OSX/CoinMiner.qfokr, OSX/Honkbox.ext, OSX/Miner.AC!tr, OSX/Miner.gen, OSX/Miner.qt, OSX/Miner.shell, Other:Malware-gen [Trj], Password-Stealer (0040f1771), PUA.MacOS.PURPLEPROXY.MANP, PUA.MacOS.PURPLEPROXY.MSGEM20, RDN/Generic.osx, Riskware/Application!OSX, Script.Trojan.A7586096, TROJ_FRS.0NA103BM22, TROJ_FRS.0NA104A223, Trojan (0040f28a1), Trojan:MacOS/Multiverze, Trojan:MacOS/SAgent!MTB, trojan:OSX/Honkbox.ext, trojan:OSX/PureLand.ext, Trojan.CoinMiner.OSX.44, Trojan.Generic.D3056588, Trojan.Generic.D3EB7491, Trojan.GenericKD.50685320, Trojan.GenericKD.65762449, Trojan.I2pdMiner/OSX!1.D989, Trojan.MAC.Generic.111680, Trojan.MAC.Generic.111683, Trojan.MAC.Generic.111728, Trojan.MAC.Generic.111730, Trojan.MAC.Generic.11970, Trojan.MAC.Generic.D1B440, Trojan.MAC.Generic.D1B443, Trojan.MAC.Generic.D1B470, Trojan.MAC.Generic.D2EC2, Trojan.MAC.Miner.AF, Trojan.MAC.Miner.AS, Trojan.MAC.Miner.AT, Trojan.MacOS.PADZER.MANP, Trojan.MacOS.PADZER.MSMEK20, Trojan.MacOS.PADZER.MSMH321, Trojan.MacOS.PADZER.RSMSMEL20, Trojan.Malware.121218.susgen, Trojan.OSX.Agent.4!c, Trojan.OSX.Coinminer, Trojan.OSX.Generic.4!c, Trojan.Shell.Agent.cp, Trojan.Shell.Agent.CQ, Trojan.Win32.SHELL.VSNW05C23, Trojan/Bash.Generic.SC186845, Trojan/OSX.CoinMiner

How can I learn more?

For additional technical information about the Honkbox malware, including reverse-engineering analyses, you can refer to the detailed write-ups by Luis Magisa of Trend Micro, Matt Benyo, Ferdous Saljooki, and Jaron Bradley of Jamf and Phil Stokes of SentinelOne. See also Stokes’ follow-up tweets. We also acknowledge the research into PureLand from Daniel Stinson (see his tweet thread and hash list) and iamdeadlyz (see their tweet thread and write-up).

We briefly discussed Honkbox on episode 281 of the Intego Mac Podcast:

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher, writer, and public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which has often been featured by major news outlets worldwide. Look for more of Josh's articles at security.thejoshmeister.com and follow him on Twitter/X, LinkedIn, and Mastodon. View all posts by Joshua Long →