Cryptominer ‘mshelper’ targets macOS: What you need to know

“Discussions of a CPU consuming process, called ‘mshelper,’ have surfaced on the Apple support forums and Reddit,” Jay Vrijenhoek writes for Intego. “Users mentioned their fans spinning unusually fast, computers running hotter than usual and performance taking a hit as a result of the mshelper process. Upon further investigation, this process turns out to be a cryptominer for macOS. Intego VirusBarrier detects and eradicates this malware as OSX/mshelper.”

“This isn’t the first time unwanted cryptomining malware have been found running on Macs—and likely won’t be the last time either,” Vrijenhoek writes. “You may recall a recent Intego YouTube video in which we discuss how to avoid cryptomining malware and protect your Mac. The video explains how you can tell if your Mac is infected, such as high CPU usage, and outlines steps you can take to remove persistent cryptomining malware.”

“If you find mshelper running on your Mac, you’ll want to remove it immediately to avoid further system degradation,” Vrijenhoek writes. “Here’s how the mshelper cryptominer works and how to remove it from your system.”

Read more in the full article here.

MacDailyNews Take: If you’ve got “mshelper,” follow Intego’s instructions to get rid of it. It’s not helping anybody except the criminals stealing your CPU cycles.

SEE ALSO:
How to remove Mac cryptominer malware ‘mshelper’ that kills your battery and CPU – May 24, 2018

11 Comments

  1. Speaking of viruses, does anyone else have this problem. Nearly every time I visit the MDN website, I receive either a warning that my Mac is infected with viruses or that I need to download Flash (which is automatically deposited in my Downloads folder). Is anyone at MDN at the switch? How about cleaning up your house instead of giving us the stock market reports about how great everything Apple is! Do you use Apple server software? If so, how come your website distributes viruses alerts, Flash update bs, and other junk?

    1. Yo Edward Webster… It comes from the outside. It is in the ads. How about learning how shit works like not auto downloading stuff, turning off Flash and forcing it to get permission to run, and forcing Safari to ask for a download location, blocking pop up windows, or that no, this is a WordPress site, not running on Apple hardware. You might even learn that this is not only occurring here, but on lots of sites as of late.

  2. Haven’t had this happen to me. Mostly I get the floating banner advertisements. To get around those, I close the banner in the main MDN page and open links as new tabs. I still get banners in the new tab, but I don’t keep getting it in the main screen.
    I would rather not have banners and advertisements, but it keeps MDN solvent, so I won’t complain. If I had to pay for MDN, I probably wouldn’t join. Sorry MDN!

  3. I have seen this article repeated more than a few times on MDN over the past few years.

    MDN, do you get paid by Intego? Because the article is hosted at “https://www.intego.com/mac-security-blog/cryptominer-mshelper-targets-macos-what-you-need-to-know” and both your excerpt and the full article take great pains to specify that “Intego VirusBarrier detects and eradicates this malware as OSX/mshelper” while making the manual process for locating and eliminating the infection seem overly difficult. In addition, there is naturally no mention of any other product that might be helpful in avoiding/eliminating mshelper.

    Seriously, this is an advertisement. Have you no shame?!

    1. Mel — you are absolutely correct. Intego is now subscriptionware — they aren’t ever going to tell users how to manually fix problems.

      Also correct: MDN does not have any shame.

  4. Reviewing Jay’s article at Intego’s blog, it’s reasonable. The problem, of course, is not ‘mshelper’, which is legitimate mining software actually named XMRig. The problem malware is actually “pplauncer”. Why that fact is buried in so many articles, I have no idea.

    Happily, Jay’s article points out the crucial method of detecting and removing the nasty crap pplauncher installs, which for the moment is ‘mshelper’, akaXMRig. Next week, pplauncher may be infesting Macs with something else! That’s how it works. You accidentally install pplauncher, it phones home to it’s bot wrangler, then it infects your Mac with the secondary malware du jour.

    Therefore, please heed Jay’s advice, and that of Thomas Reed at Malwarebytes who first adequately described pplauncher, and do this:

    1) See if you have ‘mshelper’ running on your Macs via Activity Monitor and KILL the process.

    2) Seek and destroy pplauncher, which is located here:
    Library > Application Support > pplauncer

    3) Seek and destroy mshelper, which is located here:
    private > tmp > mshelper

    4) Trash the .plist (preferences/daemon) file for pplauncher, which is located here:
    Library > LaunchDeamons > com.pplauncher.plist

    5) RESTART your Mac.

    So, how does one catch pplauncher? Where does it come from? There are multiple vectors used by social engineering these days. Here are a few general places you’ll find them:
    – Email (attachements or links to crap)
    – Websites of ill repute (drive-by infection, scareware tactics, fake Adobe Flash installers, etc.)
    – Warez (malware installers stuffed in app installers).

    1. And for those concerned, WordPress still inexplicably censors the link to Thomas Reed’s source article at the Malwarebytes blog. Head over to their website for the single best article about this malware.

    2. Within the past few days I noticed Safari maxing out my CPU and fan with even one tab open. As far as I can tell in Activity Monitor, Safari is the culprit and I don’t see mshelper or pplauncher or anything similar. Can this malware be buried within Safari to where it isn’t visible in Activity Monitor?

      1. There have been JavaScript drive-by malware infection attacks as well as Trojan horse installer attacks this year. All (that I’m aware of) have been to force coin mining software to run on your Mac. One from March was OSX.Trojan.CreativeUpdate.A-W, aka BitCoinMiner. 23 variants were found in the wild. One of its vectors was via a series of apps that had been infected with installers over at MacUpdate dot com. It’s been difficult keeping track of its many vectors.

        IOW: It’s possible. We don’t know what’s lurking around. But the incentive of the moment is to shove cryptomining software on to victim’s machines.

        All of the anti-malware providers have caught up and are keeping their tools up-to-date detecting and killing this crud. I personally recommend getting the latest copy of the free Malwarebytes app and running it. I’ve known the fellow who writes it for over a decade. He’s an expert at all the malware Apple tends to ignore, that including adware and cryptominers. If the app finds bad stuff, have it clean it out for you.

        Just last week I ran into a fake Flash installer being foisted by one web site that was really an installer for the malware OSX.Trojan (Adware Dropper).Shlayer.C. The stuff is around.

        If you’re infected with JavaScript drive-by malware, the best thing to do is:
        A) Quit your browser
        B) Reboot your Mac
        C) Dump all your cache. That includes:
        – Your browser cache (Don’t boot your browser to do this! Use a utility).
        – Your User cache
        – Your System cache
        Then reboot your Mac again.

        The freeware Onyx app can do all this. I use a shareware program called MainMenu Pro, my preference. There are plenty of others. I’ve found this cleaned out a lot of odd Mac behavior.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.