People using pirated versions of Apple's Final Cut Pro video editing software may have gotten more than they bargained for when they downloaded the software from the many illicit torrents through which it is available.

For the past several months at least, an unknown threat actor has used a pirated version of the macOS software to deliver the XMRig cryptocurrency mining tool on systems belonging to people who downloaded the app.

Researchers from Jamf who recently spotted the operation have been unable to determine how many users might have installed the weaponized software on their system and currently have XMRig running on them, but the level of sharing of the software suggests it could be hundreds.

Potentially Wide Impact for XMRig

Jaron Bradley, macOS detections expert at Jamf, says his company spotted over 400 seeders — or users who have the complete app — making it available via torrent to those who want it. The security vendor found that the individual who originally uploaded the weaponized version of Final Cut Pro for torrent sharing is someone with a multiyear track record of uploading pirated macOS software with the same cryptominer. Software in which the threat actor had previously sneaked the malware into includes pirated macOS versions of Logic Pro and Adobe Photoshop.

"Given the relatively high number of seeders and [the fact] that the malware author has been motivated enough to continuously update and upload the malware over the course of three and a half years, we suspect it has a fairly wide reach," Bradley says.

Jamf described the poisoned Final Cut Pro sample that it discovered as a new and improved version of previous samples of the malware, with obfuscation features that have made it almost invisible to malware scanners on VirusTotal. One key attribute of the malware is its use of the Invisible Internet Project (i2p) protocol for communication. I2p is a private network layer that offers users similar kind of anonymity as that offered by The Onion Router (Tor) network. All i2p traffic exists inside the network, meaning it does not touch the Internet directly.

"The malware author never reaches out to a website located anywhere except within the i2p network," Bradley says. "All attacker tooling is downloaded over the anonymous i2p network and mined currency is sent to the attackers' wallet over i2p as well."

With the pirated version of Final Cut Pro that Jamf discovered, the threat actor had modified the main binary so when a user double clicks the application bundle the main executable is a malware dropper. The dropper is responsible for carrying out all further malicious activity on the system including launching the cryptominer in the background and then displaying the pirated application to the user, Bradley says.

Continuous Malware Evolution

As noted, one of the most notable differences between the latest version of the malware and previous versions is its increased stealth — but this has been a pattern. 

The earliest version — bundled into pirated macOS software back in 2019 — was the least stealthy and mined cryptocurrency all the time whether the user was at the computer or not. This made it easy to spot. A later iteration of the malware got sneakier; it would only start mining cryptocurrency when the user opened a pirated software program. 

"This made it harder for users to detect the malware's activity, but it would keep mining until the user logged out or restarted the computer. Additionally, the authors started using a technique called base 64 encoding to hide suspicious strings of code associated with the malware, making it harder for antivirus programs to detect," Bradley says.

He tells Dark Reading that with the latest version, the malware changes the process name to look identical to system processes. "This makes it difficult for the user to distinguish the malware processes from native ones when viewing a process listing using a command-line tool.

One feature that has remained consistent through the different versions of the malware is its constant monitoring of the "Activity Monitor" application. Users can often open the app to troubleshoot problems with their computers and in doing so could end up detecting the malware. So, "once the malware detects that the user has opened the Activity Monitor, it immediately stops all its processes to avoid detection."

Instance of threat actors bundling malware into pirated macOS apps have been rare and far between. In fact, one of the last well-known instances of such an operation was in July 2020, when researchers at Malwarebytes discovered a pirated version of application firewall Little Snitch that contained a downloader for a macOS ransomware variant.