Mac malware on the rise again; several new threats found: Netwire, Mokes, LoudMiner, NewTab

Posted on by

Mac malware continues to increase in both quantity and variety. In addition to Intego’s discovery of new OSX/Linker and OSX/CrescentCore Mac malware, several other active malware campaigns have been observed in June 2019, everything from a bizarre cryptocurrency miner to creepy backdoors that could allow an attacker to log your keystrokes, and more. Let’s take a look at some of the Mac malware we’ve seen in the wild in recent weeks.

In this article:

Firefox zero-day leveraged to spread OSX/Netwire and OSX/Mokes

A zero-day vulnerability in Firefox (CVE-2019-11707) was leveraged by attackers to spread multiple types of Mac malware.

One of the malware families that spread through exploitation of this vulnerability was OSX/Netwire, a successor to OSX/NetWeirdRC which Intego wrote about in 2012 and 2016.  The other malware family is identified as OSX/Mokes, which Intego also wrote about in 2016. Both are “backdoor” malware, meaning that they have capabilities such as logging keystrokes and taking screenshots of an infected Mac, allowing an attacker to spy on their victims.

It’s worth noting that although the rudimentary XProtect malware detection system built into macOS was theoretically capable of detecting the OSX/Netwire sample, in fact XProtect provided no protection whatsoever in this case. Malware installed via a vulnerability doesn’t get tagged with a “quarantine” flag, which means it isn’t on XProtect’s radar, which in turn means that the built-in malware defense in macOS is essentially worthless in such circumstances.

Full technical write-ups on these backdoors can be found in a series of articles by Patrick Wardle: Burned by Fire(fox) part 1 and part 2 (about OSX/Netwire), and part 3 (about OSX/Mokes).

Mac users can protect themselves from the Firefox zero-day vulnerability by ensuring they’re using the latest version of the browser. To check for updates, click on the Firefox menu (next to the Apple logo menu in the top-left corner of the screen) and select About Firefox.

LoudMiner aka Bird Miner found in “cracked” VST installers

Two research teams independently discovered a strange cryptocurrency miner that was being distributed in pirated (“cracked”) copies of VST audio software, which appear to have been distributed through a blog site for several months—perhaps as early as August or September 2018 based on Intego’s research.

The pirated software comes with a parasite: cryptocurrency mining software that attempts to use your Mac’s processing power to make money for the digital pirates.

What’s particularly bizarre about this unwanted miner is that, rather than the mining software app running as a simple background process, the miner runs within an entire Linux operating system inside of a Qemu virtual machine. In other words, while you’re running macOS, another operating system boots up inside of macOS and starts running cryptomining software. It’s unclear whether the pirates were just lazy and trying to come up with a cross-platform solution that took little effort, or whether they were trying to use this technique to hide from antivirus software that might detect the miner if it were running natively on the infected computer.

Intego detects this threat as OSX/LoudMiner. Full technical write-ups about this malware campaign were written by Michal Malik and Thomas Reed.

Intego discovers OSX/NewTab

Intego has also added detection for OSX/NewTab, malware that attempts to inject tabs into the Safari browser. The oldest known samples date back to April 21. Some of the file names are clear indicators of deception, including Government Forms Online and Quick N Easy Recipes All samples have an identifier of com.NTAppStubInstaller and were digitally signed with the Apple Developer ID cosmina beteringhe (HYC4353YBE). (A VirusTotal account is required to access these links.)

Related SHA-256 hashes for this malware include:


These additional VirusTotal searches can show more related samples: Mach-O binaries, zip files 1, zip files 2.

Notably, none of the approximately 60 antivirus engines on VirusTotal is currently detecting this malware. Intego seems to be the first to add detection for this malware family.

Related: Intego discovered two other new Mac malware varieties and published about them this week:

OSX/Linker: New Mac malware attempts zero-day Gatekeeper bypass

OSX/CrescentCore: Mac malware designed to evade antivirus

How can one remove or prevent this and other Mac malware?

Intego X9 software boxes

Intego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9, can protect against, detect, and eliminate all of these Mac malware families.

If you believe your Mac may be infected, or to prevent future infections, it’s best to use antivirus software from a trusted Mac developer. VirusBarrier is award-winning antivirus software, designed by Mac security experts, that includes real-time protection. It runs natively on a wide range of Mac hardware and operating systems, including the very latest Macs.

If you use a Windows PC, Intego Antivirus for Windows can keep your computer protected from PC malware.

Note: Intego customers running VirusBarrier X8, X7, or X6 on older versions of Mac OS X are also protected from this threat. It is best to upgrade to the latest versions of VirusBarrier and macOS, if possible, to ensure your Mac gets all the latest security updates from Apple.

How can I learn more?

We talked about some of this malware on episode 88 of the Intego Mac Podcast.

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which has often been featured by major news outlets worldwide. Look for more of Josh's articles at and follow him on X/Twitter, LinkedIn, and Mastodon. View all posts by Joshua Long →