Security researchers at Apple Inc. enterprise management firm Jamf Holding Corp. today detailed a largely undetected family of malware that infects pirated macOS applications to mine cryptocurrency secretly.

The malware uses XMRig, an open-source command line cryptomining tool commonly used for legitimate purposes, for nefarious intent. XMRig was first found by the researchers bundled in a pirated copy of Apple’s video editing software Final Cut Pro.

At the time of the discovery, the sample was not being detected as malicious by any security vendors on VirusTotal,free service that analyzes files and URLs for viruses, worms, trojans and other kinds of malicious content. Some vendors were later noted as detecting the malware in January, but some of the maliciously modified applications continue to go unidentified.

A hacked version of Final Cut Pro does not make for much of a concern by itself, but the researchers dug further and identified that the malware was making use of the Invisible Internet Project for communication. I2P is a private network layer that anonymizes traffic, making it a less noticeable alternative to a similar service called Tor.

Looking for other examples of malware using I2P, the researchers traced related malware and then discovered a reference to a similar example reported by Trend Micro Inc. in early February, a pirated version of the Mac version of Adobe Photoshop. The key similarity is both the malicious versions of Final Cut Pro and Photoshop tracked back to the same person with a years-long track record of sharing pirated software on The PirateBay.

“This discovery presented a rare opportunity to trace the evolution of a malware family,” researchers explain. “What started as a rudimentary and conspicuous scheme had iterated through three distinct stages of evolution into something with creative evasion techniques. As far as we could tell, only samples from the first generation of this malware family have been reported on.”

Interestingly, the pirated version of Final Cut Pro doesn’t work in macOS Ventura because of an error in the coding of the malware, but it’s an error that will likely be addressed in future malware releases.

The researchers warn that, given that cryptomining requires a significant amount of processing power, it’s likely that the ongoing advancements in Apple Arm processors will make macOS devices even more attractive targets for cryptojacking in the future.

Image: Jamf