DarthMiner

DarthMiner is a combination of EmPyre, a post exploitation backdoor, and XMRig cryptominer. The malware is distributed as a fake “Adobe Zii” application.

Source: Malwarebytes

When executed, the malware will execute a shell command that will download and execute additional files. As result, EmPyre and XMRig are installed on the infected system.

Source: CheckPoint

The malware will also create the LaunchAgent “com.apple.rig.plist” so the XMRig will start automatically on system boot.

Source: CheckPoint

Links:

Mac malware combines EmPyre backdoor and XMRig miner

Samples:
ebecdeac53069c9db1207b2e0d1110a73bc289e31b0d3261d903163ca4b1e31e

Share this: