“New Mac cryptominer malware, dubbed ‘mshelper,’ is in the news, with many affected customers flocking to Reddit and Apple Support Communities to gain more information and learn how to remove malicious code from an infected system,” Christian Zibreg reports for iDownloadBlog.
“Cryptojacking is designed to mine cryptocurrency on your computer without your knowledge, which can often push your Mac’s CPU to overwork itself and hog other resources,” Zibreg reports. “The payload appears to be delivered via modified downloads such as the Adobe Flash installer.”
“Until Apple adds ‘mshelper’ to macOS’s Quarantine blacklist, you will need to manually detect and remove this malware from your system,” Zibreg reports. “As noted by MalwareBytes, even though this particular malware won’t steal or delete your data, it will make using your computer a pain. Due to high CPU usage, the computer will become unresponsive, run slowly and may crawl to a halt. Because the CPU is fully utilized, your Mac notebook’s fan may kick into overdrive as well. If your Mac is getting a little warmer and louder for no apparent reason, it may be infected with ‘mshelper.’ Here’s how to check if ‘mshelper’ has infected your system and how to remove it.”
Read more in the full article here.
MacDailyNews Take: if you’ve got “mshelper,” nuke it. It’s not helping anybody except the criminals stealing your CPU cycles.
ironically, when I checked my CPU load, “MacDailyNews.com” was taking up 50% of my CPU. Now it’s hovering at 56%.
nice job, asshats.
17% to 31%, asshat, on Safari, due mostly to the ad load, which most likely comes from Google Ads.
Oh no. There’s a lot more advertising at MDN than mere Google. Right now, uBlock Origin is listing 205 (Two Hundred and Five) pieces of off-site, ahem, stuff. The non-Google advertising sources include:
addthis.com
amazon-adsystem.com
buysellads.com
deployads.com
earnify.com
pagefair.com
pagefair.net
taboola.com
teads.tv
tradingview.com
zergnet.com
(If any of the above are not actually serving ads, my apologies).
Uh, um, make that now 274 pieces of off-site stuff. It keeps growing as I watch. And, it’s now leveled off.
274 is a record, in my experience. No wonder people use… [you know what I mean].
Oh sorry. Now that I’ve posted again, the count is up to 337 pieces of stuff attempting to load on this page. I took a screenshot for posterity and public talks I give about Internet technology. People aren’t going to believe this.
“pplauncher”……wasn’t that an R.Kelly tune??
Can’t launch the full article – I wonder if idownloadblog.com has been hit by cryptocurrency hackers because of the article…
Just tried bringing it up in Firefox – worked fine. A Safari problem…
Note that when you follow the link to iDownload Blog- it asks for your location.
With Ghostery on the content will not even load.
(0_o) Again, this is incomplete information. Playing at being a computer security expert is a bad idea. The case of mshelper points out that it takes time, study and experience to be helpful in the field, as opposed to being a detriment. *cough*cough*
At least the iDB article sites and takes a lesson from the first and so far only decent article published about mshelper so far, by Thomas Reed @Malwarebytes:
New Mac cryptominer uses XMRig
[Wordpress freaks every time I post the URL for this article. Sorry I can’t post it. But you’ll find it at the Malwarebytes Blog.]
NOTE: The actual malware vector is NOT mshelper. That’s just a secondary infection created by the source malware called pplauncher. If you don’t kill pplauncher, you’re going to be RE-infected with mshelper or something else by way of pplauncher.
Here’s a COMPLETE list of malware crud to remove before you RESTART your Mac, in order or priority:
1) ~/Library/Application Support/pplauncher/pplauncher
– This is the source culprit that was initially infected into your Mac. The vector used for this infection is still under investigation. Check back next week for more.
2) /tmp/mshelper/mshelper
– This is the secondary infection instigated by pplauncher. As far as we know, pplauncher may have moved on to infect Macs with some other malware by now. Therefore, again: Nail pplauncher first, then restart your Mac. Please note that, despite 9to5 Mac having amended their initial wrong instructions, they STILL at this time have screwed up by leaving out THIS STEP. Very naughty. This step is crucial. Shame on them.
3) /Library/LaunchDaemons/com.pplauncher.plist
– After you’ve killed pplauncher and restarted your Mac, this plist file is inert. Throw it in the trash as leftover rubbish.
As Thomas Reed points out, ‘mshelper’ is actually an old and legitimate crypto mining program called XMRig miner. In and of itself, it’s NOT malware. However, as a secondary infection, it’s the payload dropped by the pplauncher malware.
IOW: The actual malware is pplauncher. Malwarebytes recognizes it as OSX.ppminer.
Using the published malware naming standard, it is known as OSX.Trojan.ppminer.A.
For those who’d, rightfully, like to have the URL to Thomas Reed’s article “New Mac cryptominer uses XMRig”, see if you can piece together the URL from these inoffensive fragments, created to workaround whatever-the-f is wrong with WordPress:
h
t
t
p
s
(slash)
(slash)
blog(dot)malwarebytes(dot)com
(slash)
threat-analysis
(slash)
mac-threat-analysis
(slash)
2018
(slash)
05
(slash)
new-mac-cryptominer-uses-xmrig
(slash)
Sheesh 👻💩🤦
The frontmost MacDailyNews page in Safari takes between 25 and 45% of my CPU time.
Is MDN mining cryptocurrencies (or worse)?