Final Cut Pro’s pirated versions peddle crypto-mining malware

Final Cut Pro and other pirated macOS apps on Pirate Bay are riddled with previously undetected malware. Once infected, Apple devices are employed to mine cryptocurrency without user permission, researchers claim.

Using pirated software creates ample opportunities to distribute malware. While the practice is often associated with Windows machines, Apple owners are not spared either.

For example, researchers at cybersecurity firm Jamf discovered that attackers implanted the XMRig cryptocurrency mining tool in pirated versions of a popular Apple-developed video editing tool, Final Cut Pro.

Since crypto mining requires a lot of processing power, devices running on powerful Apple ARM processors make macOS machines a lucrative target for crypto-thirsty threat actors.

Researchers claim that the newly-detected XMRig-based malware runs in the background of users’ devices, with illegitimate Final Cut Pro versions installed on them. Moreover, no security vendors on VirusTotal, an antivirus aggregator, caught the malware.

Software infected with malware
Screenshot of Pirate Bay taken by Jamf Threat Labs on February 13, 2023.

One of the reasons malware went under the radar is its use of the Invisible Internet Project (i2p), a less noticeable alternative to the Tor network. Malware used i2p to download malicious components and send mined crypto back to the attackers.

Seeking the origin of the malware, researchers turned to the popular torrent tracker, Pirate Bay, where they sifted through recent uploads of Final Cut Pro.

“We downloaded the most recent torrent with the highest number of seeders and checked the hash of the application executable. It matched the hash of the infected Final Cut Pro we had discovered in the wild. We now had our answer,” researchers said.

Worryingly, the infected torrents were uploaded by the same user, ULed, who has been uploading pirated macOS software since 2019. User uploads of Final Cut Pro, Login Pro X, and Adobe Photoshop even ranked among the most shared versions on Pirate Bay.

Further investigation revealed that every single one of ULed’s uploads was infected with crypto-mining malware. While researchers identified three generations of malware peddled via macOS applications, only the first one was previously discovered.

Researchers strongly advise against using peer-to-peer networks to download software. For one, most popular torrent clients such as uTorrent don’t apply quarantine to downloaded files, removing one of the key defenses malware operators must overcome.

“For any remaining hurdles, the malware author has an unwitting collaborator in the user that downloaded the pirated application. The user has strong potential to be coaxed into manually disabling other security features, like Gatekeeper,” researchers said.

Lastly, users downloading pirated software know they’re participating in illegal activity. That’s why if they’re prompted with notifications of a likely infection, they’re likely to dismiss the message as the machine’s reaction to illegal software.