Bird Miner, a macOS miner that runs by emulating Linux

Security experts at Malwarebytes have discovered a new macOS crypto miner, tracked as Bird Miner, that works by emulating Linux.

Researchers at MalwareBytes have spotted a new cryptominer, tracked as Bird Miner, that targets macOS and emulates Linux. The malware spreads via a cracked installer for the music production software Ableton Live that is distributed on a piracy website called VST Crack, and that is over 2.6 GB in size. 

“A new Mac cryptocurrency miner Malwarebytes detects as Bird Miner has been found in a cracked installer for the high-end music production software Ableton Live.” reads the analysis published by MalwareBytes. “The software is used as an instrument for live performances by DJs, as well as a tool for composing, recording, mixing, and mastering. And while cryptomining is not new on Mac, this one has a unique twist: It runs via Linux emulation.”

Postinstall script makes several operations, including the copy of installed files to new locations with randomized names.

“The files that get dropped on the system, with random names, have a variety of functions. Three are launch daemons, charged with launching three different shell scripts.” continues the analysis.

“One of the scripts launched is called Crax, and it installs in the /usr/local/bin/ directory.”

One of the scripts called Crax is used to avoid the detection, it checks if Activity Monitor is running and unloads the other processes if it is. It also checks CPU usage and unloads every process that is consuming the CPU at more than 85%. 

Crax also loads the daemons for the other two processes, each to run a different script that loads a separate executable.

The malware checks for Activity Monitor once again, then it launches an executable and passes a path to another file as a parameter. The executable is an old version of the popular open-source emulator Qemu that allows users to run Linux executables on non-Linux systems. 

Here, Qemu is used to run the contents of an image file that contains a bootable Linux system (the Tiny Core Linux variant).

The image also contains a mydata.tgz file that is used to load certain files at startup, including a script that executes commands to run when the Tiny Core system launches. 

“Thus, as soon as the Tiny Core system boots up, xmrig launches without ever needing a user to log in. As soon as the system shown in the screenshot above asks for the “box login,” the miner is already running.” continues the analysis.

“The xmrig software has been abused multiple times recently by Mac cryptominers, such as DarthMiner. However, Bird Miner is an interesting case, as the copy of xmrig being used here is a Linux executable run in emulation via Qemu.”

It is interesting to note that the malware runs via emulation, when it could easily have run as native code.

“This would have given the malware better performance and a smaller footprint. Further, the fact that the malware runs two separate miners, each running from their own 130 MB Qemu image file, means that the malware consumes far more resources than necessary.” concludes the analysis.

“The fact that Bird Miner was created this way likely indicates that the author probably is familiar with Linux, but is not particularly well-versed in macOS. Although this method does obfuscate the miner itself, which could help the malware evade detection, that benefit is countered by reliance on shell scripts and the heavy footprint of running not one but two miners simultaneously in emulation,” 

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – XSS, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]