Bird Miner - a new threat for Mac

OSX.BirdMiner – a newly discovered cryptocurrency miner that imitates Linux OS while attacking Mac machines

Hackers released a new malware string called Bird Miner that attacks Mac OS X by launching a fake Linux-based executable

If you are interested in the cybersecurity, you should have read about numerous types of malware (e.g. ransomware, cryptocurrency miners, trojans) mostly targetting Windows users. Crooks have been opting for Windows-based systems as this OS is still the most popular among all computer users worldwide.

However, a serious new malware string has been released which seems to be attacking Mac OS X users. This cyber threat is recognized as OSX.BirdMiner and has been infecting users via a non-original version of Abeton Live 10^[1] software that can be downloaded from VST third-party website.^[2]

Originally, this program is a useful tool for music-lovers. However, currently, people who aim to download this software from third-party pages are at high risk of the Bird Miner infection. What is very interesting about this cryptocurrency mining malware is that it is imitating the Linux operating system while running on Macintosh computers.

Another amusing thing that Malwarebytes has found is that the cyber threat prevents the usage of terms related to Hitler or Nazi as probably the crooks do not want any connections with these words to be seen:^[3]

Amusingly, the malware seems to want to avoid any mention of Nazis or Hitler—words that actually can be found in the wordlist. I guess even malware creators don’t want to be associated with the terms.

The malware requires less than 85% use of the CPU, otherwise, it might not operate properly

The crack which includes Abeton Live 10 software takes up 2.6 GB of space and does not seem to cause any doubts for this type of program. However, this package hides a dangerous malware which is Bird Miner. Why the installation of this threat is so successful is that it copes with hiding malicious executables deeply inside the bundle.

People who opt for the downloading process of the music production tool, usually, do not have any concerns until loading it on their computers. Continuously, Bird Miner comes together with a specific module known as “Crax” that aims to scan for Activity Monitor and Mac's Process Checker.

If Bird Miner discovers that Activity Monitor is deactivated, the malware starts running check-ups throughout the computer's Central Processing Unit and using its power in order to be capable of mining cryptocurrency on the infected system. However, CPU usage higher than 85% will cause OSX.BirdMiner to fail.

XMRig is found as the main threat that is hidden behind Bird Miner

If the CPU power takes less than 85%, the malware runs commands that execute Pecora and Krugerite. These two components are then responsible for activating some infectious executables. One of these files are recognized as Nigel (Qemu) and used to execute Tiny Core (and image-related executable that simulates the Linux OS):

Qemu is an open-source emulator, somewhat like a command-line-only VirtualBox, that is capable of running Linux executables on non-Linux systems. These copies of Qemu are being used to run the contents of image files, named Poaceae in the above example, using Apple’s Hypervisor framework for better performance.

This certain type of fake Linux component also comes with the mydata.tgz file which loads a well-known cryptocurrency mining threat – XMRig that is used for collecting Monero.^[4] Nevertheless, the malware is capable of working on the infected system without any repeated login actions and the victims can also secretly have not one but even two cryptocurrency miners at the same time.

Furthermore, cybersecurity experts speculate that OSX.BirdMiner has been distributing for not less than four months. The malware's capability to run two cryptocurrency miners at the same time is really stunning and confusing. However, the hacker who is working behind this threat seems to know Linux better than Mac OS X.^[5]