We haven’t reported on a crypto-malware for the past several weeks, not because there haven’t been any instances but because the cases were becoming too redundant. If you were missing those cryptomining malware stories, security researchers discovered a new Mac malware strain this week that is targeting macOS users.
Several users experienced their fans whirring a little too fast and then a process titled “mshelper” was seen taking up CPU resources. It appears that mshelper is nothing but a malware mining for Monero cryptocurrency.
Mac malware hijacks MacBooks to mine for Monero cryptocurrency
In a blog post this week, Malwarebytes detailed this not-so-sophisticated Mac malware that has three components: the dropper that downloads the malware; the launcher that installs and launches it; and the miner, which is based on an open source Monero miner known as XMRig.
It remains unclear how is Monero cryptominer being dropped on Macs, but looking at past examples, fake Adobe Flash Player installers and downloads from piracy sites could be the culprit. Malwarebytes researchers wrote that “the dropper is still unknown” and that the company doesn’t believe if “it’s anything sophisticated” since “everything else about this malware suggests simplicity.”
The launcher is a file named pplauncher, which is kept active by a launch daemon (), suggesting that the dropper had root privileges. Its goal is to install and launch the miner process. Once the launcher creates the mshelper process (the miner), the compromised macOS device starts mining for Monero cryptocurrency.
Researchers noted that the malware isn’t dangerous, “unless your Mac has a problem like damaged fans or dust-clogged vents that could cause overheating.”
If your antivirus, anti-miner product isn’t catching this particular malware, you can delete the following files and then reboot your device:
- /Library/Application Support/pplauncher/pplauncher
“Mac cryptomining malware has been on the rise recently, just as in the Windows world,” Malwarebytes’ Thomas Reed wrote. “This malware follows other cryptominers for macOS, such as Pwnet, CpuMeaner, and CreativeUpdate. I’d rather be infected with a cryptominer than some other kind of malware, but that doesn’t make it a good thing.”