‘Bird Miner’ Cryptominer Targeting Mac Users Who Download Pirated Software

0
85

  • An ‘Ableton Live 10’ torrent spreads the Bird Miner crypto-miner, specifically designed for macOS systems.
  • The malware is trying to hide its activities by running through images in the Qemu tool.
  • The shell scripts that are executed are still blowing its cover, and savvy users would easily figure out what is going on.

According to a report by Malwarebytes’ researchers, there’s a new crypto-miner called ‘Bird Miner’ that targets Mac systems through an ‘Ableton Live 10’ torrent. The particular music production software costs several hundred US dollars, so many people are on the look for cracked versions that they can download without paying a dime. However, the dangers that lurk via torrents like this one have been repeatedly documented, and this is another case that underlines them. The size of the downloaded archive is 2.6 GB, and it contains shell script launch daemons that install obfuscators, system checkers, anti-snoopers, and a lot more that isn’t part of the Ableton Live 10 suite.

Since crypto-miners need CPU resources to run, it is essential for the malware to hide itself and its activities from the victim. So, the first thing that it does is check whether the Activity Monitor is running or not. If the system tool isn’t running, and if the CPU usage is below 85%, the malware proceeds by running a Qemu instance. Qemu is an open source operating system virtual box that can load and run OS image files such as .img, .iso, or .dmg. Qemu loads two .dmg images that are a custom version of ‘Tiny Core’ Linux, which then launch ‘xmrig’, the crypto-mining tool.


Image source: blog.malwarebytes.com

While the researchers first spotted the Bird Miner installers in the pirated Ableton Live 10 torrents, there are now more files infected with it. Users on Reddit report the same type of malware being distributed through the VST Crack website during the last four months, and possibly even longer. While Bird Miner for Mac tries to hide by running inside Qemu, this is the same element that introduces its operational inefficiency. If it was to run natively instead of being emulated, it would yield more for its masters.

If you want to stay safe from this type of danger, you can follow the simple practice of not downloading pirated software via torrents. These sources of pro-grade tools are very often infected with dangerous malware, and they are not worth the risk. If you have to do it no matter what, at least make sure that you’re using an up-to-date anti-virus from a reputable vendor. Finally, perform periodical checks on what is installed on your system, and if you see something that you don’t recognize like the Qemu tool, start investigating to find out how it got there.

Have you ever had an experience with a virtual box malware on MacOS? Share the details with us in the comments down below, or on our socials, on Facebook and Twitter.