Quote:A slightly weird malware strain has been observed using the open source XMRig cryptominer and EmPyre backdoor utilities to target software pirates as reported by Malwarebytes Labs.

The OSX.DarthMiner malware was designed to emulate the Adobe Zii tool used to pirate various Adobe apps, although it failed to also copy its icon instead bundling an Automator applet icon that stands out, potentially breaking the "illusion."

Although the malware contains code that might potentially intercept encrypted traffic with the help of a mitmproxy root certificate, the OSX.DarthMiner authors commented it out, deciding to only use it as a dropper for the Python-based EmPyre backdoor.

In the next step of the infection, after the backdoor script capable of running arbitrary commands is downloaded and launched on the compromised system, the malware makes sure that it gains persistence between reboots with the help of a launch agent named com.proxy.initialize.plist.

Next, the XMRig cryptominer together with a configuration file is downloaded into the /Users/Shared/ folder and a new launch agent dubbed com.apple.rig.plist is set up to make sure the cryptominer will always use the malware's authors mining configuration.