New crypto-currency mining malware is targeting systems running macOS, and works by emulating Linux, Malwarebytes security researchers have discovered.
Detected as Bird Miner, the threat spreads via a cracked installer for the music production software Ableton Live, a tool for music composing, recording, mixing, and mastering. The cracked installer is available on a piracy website called VST Crack, and is over 2.6 GB in size.
Bird Miner’s postinstall script was designed to copy installed files to new locations with randomized names. These files have a variety of functions, with three of them being launch daemons, charged with launching three different shell scripts.
Called Crax, one of the scripts is tasked with ensuring that the malware avoids analysis by checking if Activity Monitor is running and unloading the other processes if it is. If not, it performs a series of CPU usage checks and unloads everything if it’s pegging the CPU at more than 85%.