![]() /Library/Application Support/.System-Monitor.qemuservice – shell script that launches the first image via the qemu-system-x86_64 binary (see Script 1 listing).The miner files in the downloaded application package are not obfuscated in any way or placed in another package they are installed alongside the software in the following places: 1.0.1.macOS.dmg setup instructions Version 1 Otherwise, it checks for how long the system has been idle in seconds:įigure 6. If the Activity Monitor process is running, the mining stops. The CPU monitor script can start and stop the mining by loading and unloading the daemon. A CPU monitor shell script with an accompanying daemon that can start/stop the mining based on CPU usage and whether the Activity Monitor process is running.Daemons used to start the shell scripts at boot and keep them running.Shell scripts used to launch the QEMU images.They also have KeepAlive set to true, ensuring the process will be restarted if stopped. Persistence is achieved by adding plist files in /Library/LaunchDaemons with RunAtLoad set to true. Each version of the miner can run two images at once, each taking 128 MB of RAM and one CPU core. All of them include dependencies needed to run QEMU in installerdata.dmg from which all files are copied over to /usr/local/bin and have appropriate permissions set along the way. We’ve identified three macOS versions of this malware so far. While analyzing the different applications, we’ve identified four versions of the miner, mostly based on how it’s bundled with the actual software, the C&C server domain, and something we believe is a version string created by the author. Scripts inside the virtual machine can contact the C&C server to update the miner (configuration and binaries).The Linux virtual machine is launched and the mining starts. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |