DarthMiner strikes MacOS

walden, system, systems, walden systems, rita, firewall, port, forward, up, protect, intrusion, security, traffic, DMZ, block, protection, walden systems, walden, systems, network, fire, wall, hack, intrusion, cisco, router, network, switch, hub, IoT, traffic, marriot, data breach, passport, darthminer, crypto, mac
Rita gives you full control of what sites your employees visit. Rita can block sites that eat up your precious bandwidth such as media streaming sites. Rita enables you full control of what sites your employees can and cannot visit. Rita gives you the ability to block undesirable sites by wildcard or by name. Rita gives you the ability to determine which computers will be blocked and which will be allowed. With Rita, you can block access to sensitive servers within your LAN.

Researchers detected a fake Adobe piracy app that infects Mac users with a combination of the EmPyre backdoor post-exploitation agent and the XMRig cryptominer. The app pretends to be Adobe Zii, a software program that helps in cracking and pirating Adobe products. While it does run a version of Zii to disguise its malicious activity, the fake app is a malicious shell script that Malwarebytes has aptly named OSX.DarthMiner. The shell script executes an obfuscated Python script, which in turn sets the stage for EmPyre and XMRig, both of which are open-source programs.

It appears that DarthMiner is distributed via a compromised application called Adobe Zii, which is marketed as an app which assists in the pirating of Adobe products. The fake application was designed to run a shell script that downloads and executes a Python script, and then downloads and runs an app named sample.app, which appears to be a version of Adobe Zii, most likely to hide the malicious activity. The obfuscated Python script looks for the presence of Little Snitch, which is a host-based firewall for macOS. It can be used to monitor applications, preventing or permitting them to connect to an attached network through a set of advanced rules. If Little Snitch is detected the infection process is stopped. Regardless of the malware stopping the process if the tool is found, researchers contend that the firewall would have already blocked the script's download attempts. If no instance of Little Snitch is detected the malware proceeds to the next step of its infection.


Next, it installs EmPyre backdoor, an open source software. The backdoor is then able to execute arbitrary commands on the infected Mac. This enables the backdoor to then download a script that gets and installs the other components of the malware. A launch agent is also created to ensure persistence. Then, installation of the second open source program, the XMRig crypto miner gets installed. This also creates a launch argent which is designed to keep the XMRig process running.

Analysis of the script further revealed code which is designed to download and install a root certificate for the mitmproxy tool, which can intercept web traffic, including encrypted traffic. The code was commented out and was not active in the observed malware. It may be that the script itself causes little harm by just running a crypto miner but the fact that the infected Mac is now backdoored allows hackers to be able to send arbitrary commands and potentially other strains of malware. DarthMiner also highlights another danger that software piracy and the high risks it poses to users.