More cryptomining malware, and a threat to routers and NAS

Expect a security data update (silent) from Apple in the next few days to address new malware dubbed OSX.ppminer, which tries to mine cryptocurrency on your Mac. Hopefully the update will be for both XProtect and MRT.

OSX.ppminer came to attention from a posting on Apple’s public discussion forums, where a user reported an out-of-control process named mshelper. Full details have been provided by the ever-vigilant Thomas Reed of Malwarebytes. Its mode of transmission remains unclear though, so users should be particularly cautious with unexpected emails, unfamiliar websites, and the like.

There are three distinctive files which you should watch for:

  • ~/Library/Application Support/pplauncher/pplauncher, which is quite a large executable launcher,
  • /tmp/mshelper/mshelper, which is the background process which mines for Monero cryptocurrency, and
  • /Library/LaunchDaemons/com.pplauncher.plist, which is makes mshelper persistent.

Note the last of these. The most common way for malware to make itself persistent across restarts is to add a Property List to the /Library/LaunchDaemons folder. Several of the better anti-virus products watch for this, and it is very simple to put a watch on LaunchAgents and LaunchDaemons folders using Hazel. Another approach is to block outgoing connections using Little Snitch, or the free shared-source firewall LuLu.

Currently a lower threat, but potentially a more serious one, is VPNFilter malware, which has been reported by Cisco’s Talos Intelligence as targeting over half a million networking devices around the world. This is most likely to occur in SOHO-class routers and NAS devices. Infections seem to have started in the Ukraine, where they have already been used in large-scale attacks.

Talos warns that VPNFilter currently targets routers made by Linksys, MikroTik, Netgear, and TP-Link, and QNAP NAS systems. If you use any of those, consult the vendor’s support site for advice and firmware updates to address their vulnerabilities.

Stay safe.