Mac malware on the rise again; several new threats found: Netwire, Mokes, LoudMiner, NewTab
Posted on
by
Joshua Long
Mac malware continues to increase in both quantity and variety. In addition to Intego’s discovery of new OSX/Linker and OSX/CrescentCore Mac malware, several other active malware campaigns have been observed in June 2019, everything from a bizarre cryptocurrency miner to creepy backdoors that could allow an attacker to log your keystrokes, and more. Let’s take a look at some of the Mac malware we’ve seen in the wild in recent weeks.
In this article:
- Firefox zero-day leveraged to spread OSX/Netwire and OSX/Mokes
- LoudMiner aka Bird Miner found in “cracked” VST installers
- Intego discovers OSX/NewTab
- How can one remove or prevent this and other Mac malware?
- How can I learn more?
Firefox zero-day leveraged to spread OSX/Netwire and OSX/Mokes
A zero-day vulnerability in Firefox (CVE-2019-11707) was leveraged by attackers to spread multiple types of Mac malware.
One of the malware families that spread through exploitation of this vulnerability was OSX/Netwire, a successor to OSX/NetWeirdRC which Intego wrote about in 2012 and 2016. The other malware family is identified as OSX/Mokes, which Intego also wrote about in 2016. Both are “backdoor” malware, meaning that they have capabilities such as logging keystrokes and taking screenshots of an infected Mac, allowing an attacker to spy on their victims.
It’s worth noting that although the rudimentary XProtect malware detection system built into macOS was theoretically capable of detecting the OSX/Netwire sample, in fact XProtect provided no protection whatsoever in this case. Malware installed via a vulnerability doesn’t get tagged with a “quarantine” flag, which means it isn’t on XProtect’s radar, which in turn means that the built-in malware defense in macOS is essentially worthless in such circumstances.
Full technical write-ups on these backdoors can be found in a series of articles by Patrick Wardle: Burned by Fire(fox) part 1 and part 2 (about OSX/Netwire), and part 3 (about OSX/Mokes).
Mac users can protect themselves from the Firefox zero-day vulnerability by ensuring they’re using the latest version of the browser. To check for updates, click on the Firefox menu (next to the Apple logo menu in the top-left corner of the screen) and select About Firefox.
LoudMiner aka Bird Miner found in “cracked” VST installers
Two research teams independently discovered a strange cryptocurrency miner that was being distributed in pirated (“cracked”) copies of VST audio software, which appear to have been distributed through a blog site for several months—perhaps as early as August or September 2018 based on Intego’s research.
The pirated software comes with a parasite: cryptocurrency mining software that attempts to use your Mac’s processing power to make money for the digital pirates.
What’s particularly bizarre about this unwanted miner is that, rather than the mining software app running as a simple background process, the miner runs within an entire Linux operating system inside of a Qemu virtual machine. In other words, while you’re running macOS, another operating system boots up inside of macOS and starts running cryptomining software. It’s unclear whether the pirates were just lazy and trying to come up with a cross-platform solution that took little effort, or whether they were trying to use this technique to hide from antivirus software that might detect the miner if it were running natively on the infected computer.
Intego detects this threat as OSX/LoudMiner. Full technical write-ups about this malware campaign were written by Michal Malik and Thomas Reed.
Intego discovers OSX/NewTab
Intego has also added detection for OSX/NewTab, malware that attempts to inject tabs into the Safari browser. The oldest known samples date back to April 21. Some of the file names are clear indicators of deception, including Government Forms Online Installer.app.zip and Quick N Easy Recipes Installer.app.zip. All samples have an identifier of com.NTAppStubInstaller and were digitally signed with the Apple Developer ID cosmina beteringhe (HYC4353YBE). (A VirusTotal account is required to access these links.)
Related SHA-256 hashes for this malware include:
55da84cbe3131aa67a50a8a286e24aeb6f8fbeb765e72f6b01ef474e57e33282 b3ef491a1ad3bd5e1bce13324af3d752afde8cbd33582fe757d7242c00216c66 0e020581f1949efa19210c952c733fb6786f500d79018a9249fbbbde8ea5eb2a 0e407472a382baaefbf59727f23e2fc232a816a27e552c94fd2a87e047f1ae81 20c0a448b047a277364700ed30199da215cbf607b18f647fbf2b54ede8328f56 315a3d80658282d60d300f63143762fd6f224d54e4147ef2e54f3e7e01a26f92 444a00c67c9e64ff52dcb6945e0c52e30ca7d2661ba1f712ac15ebe0e5439261 581bc362dc2409a786bdf44d5c44726ffd2506ead80a5da85463ccb214262f02 75246e4ed536d6a34f3fa55f5ed3d5db57bb751c5bdf6d62e018fcfee5358e73 8133e9c221b6dca42a08eed96b447155df45669edec53b8424ea1bedbe502829 9633f16680bdbcfc55148ec49e8cc5e21839411ef23dfce022d356af9dd4b6df 9ca3d6014d4691dd059acd56fde6a5f253ca0a90d4b4233f8b40f702cdc18671 b6b44064eaa032d1b17ab6e3321d7193cd7d59e029a642c7bc22799e46d71ead be2fe75df4679639fd42e01c2cfb8bfb4a3fbb496453d59bdcc3c8fd04161fcd c59fe3a145e3177ef9aab4095fea66e663827611cf3c6fd851da781458f7e637 c7a58b136937b89287e8abca9ef589909d7dc3f51dd0f94547a5266473c8ee0c df6d98870aca6607bc9aee774efbdb9e84834a9f718e03cc5d2dba21375b9f91 e06cead4d754b0e990c5024d28d43500ddb241e79065ffb9b8a695f94c97d6a5
These additional VirusTotal searches can show more related samples: Mach-O binaries, zip files 1, zip files 2.
Notably, none of the approximately 60 antivirus engines on VirusTotal is currently detecting this malware. Intego seems to be the first to add detection for this malware family.
Related: Intego discovered two other new Mac malware varieties and published about them this week:
OSX/Linker: New Mac malware attempts zero-day Gatekeeper bypass
How can one remove or prevent this and other Mac malware?
Intego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9, can protect against, detect, and eliminate all of these Mac malware families.
If you believe your Mac may be infected, or to prevent future infections, it’s best to use antivirus software from a trusted Mac developer. VirusBarrier is award-winning antivirus software, designed by Mac security experts, that includes real-time protection. It runs natively on a wide range of Mac hardware and operating systems, including the very latest Macs.
If you use a Windows PC, Intego Antivirus for Windows can keep your computer protected from PC malware.
Note: Intego customers running VirusBarrier X8, X7, or X6 on older versions of Mac OS X are also protected from this threat. It is best to upgrade to the latest versions of VirusBarrier and macOS, if possible, to ensure your Mac gets all the latest security updates from Apple.
How can I learn more?
We talked about some of this malware on episode 88 of the Intego Mac Podcast.
Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: 
