A lot of Mac users described in the last few weeks that a process dubbed ‘mshelper’ was consuming a lot of CPU power, whirring fans a little too fast and totally draining their batteries within a very short time. This turned out that the process is highly related and associated with a type of malware created to mine for Monero (XMR) cryptocurrency.
According to the reports from the affected users, anti-malware products at first either didn’t discover the threat at all or they couldn’t totally remove the infected materials.
Several experienced Researchers at Malwarebytes have ascertained the mshelper software was designed to operate in a malicious manner but they haven’t been able to exactly ascertain how it’s distributed, though they strongly believe that malicious documents, fake flash player installers or pirated software are the root cause of this problem instead of other more complex methods.
Cyber experts recognized that the launcher, a file uniquely identified as pplauncher, is left active by a launch daemon (com.pplauncher.plist) insinuating that the dropper likely had root privileges on the compromised setup. The designed launcher was created in Golang and it has a size of 3.5 megabits.
“Using Golang introduces significant overhead, resulting in a binary file containing more than 23,000 functions. Using this for what appears to be simple functionality is probably a sign that the person who created it is not particularly familiar with Macs,”
said Malwarebytes’ Thomas Reed.
The compromised device begins mining the Monero cryptocurrency for the criminals who technically apportion the malware as soon as the launcher creates the mshelper process. The miner itself is an open source and authentic mining tool called XMRig.
Thomas emphasised that this malware is not certainly dangerous, apart from Mac having a problem like damaged fans or dust-clogged vents that could result into overheating. He continued and said that even though the mshelper process is actually an authentic piece of software being abused, it has to be removed along with the rest of the malware.
Since the malware news has started spreading like a bush fire, security companies have started upgrading and updating their products such that they can completely remove the malware.
Users have also tried different methods including removing the malware manually by deleting the infected two files (/Library/LaunchDaemons/com.pplauncher.plist and /Library/Application Support/pplauncher/pplauncher) and rebooting their devices.
“Mac crypto mining malware has been on the rise recently, just as in the Windows world. This malware follows other crypto miners for MacOS, such as Pwnet, CpuMeaner and CreativeUpdate. I’d rather be infected with a crypto miner than some other kind of malware but doesn’t make it a good thing.”
This is not the first reported incident related to cryptocurrency mining delivered to Mac users. Malwarebytes reported in February this year that a Monero miner was delivered via malicious versions of applications available via the MacUpdate website.