Bird Miner

With the continuously growing popularity of cryptocurrencies, cybercriminals worldwide have been finding more and more ways to exploit this trend and back a buck off the back of unsuspecting users online. Usually, cyber crooks aim at spreading their malware as far and as wide as possible and because Windows is the most popular OS in the world, by far, most malware created targets machines that run Windows. However, some cyber crooks stray from this well-trodden path. This is the case with the authors of the Bird Miner. They have built their cryptocurrency miner to target only devices that run OSX, and it uses a Linux virtual machine to host and run the crypto mining software chosen by the attackers. The Bird Miner is programmed to mine Monero cryptocurrency.

In the first campaign where the Bird Miner was detected, it appeared that the infection vector used by the attackers was a pirated copy of a music production software that had gained some notoriety. This software suite works exclusively on OSX. It has been speculated that the reason the Bird Miner creators used this particular application to spread their threat may be because this is a heavy program which requires significant hardware to run smoothly, therefore making it more likely that users with high-end Mac devices will try to pirate it. This is useful for the attacker since it would mean that their cryptomining malware will get to use modern hardware for its mining operations.

If a user believes the criminals behind the Bird Miner, they may never even realize that their system has been infected because the application that would deliver the payload of the threat would work as intended.

The Bird Miner has several features. To avoid alarming the user, the Bird Miner will check what the current CPU usage is via the Activity Monitor. If it has determined that it is over 85%, it will halt all mining operations. Another core component of the Bird Miner malware is 'Nigel' - a renamed copy of the Qemu (legitimate application) software used for machine virtualization. This component is meant to run 'Tiny Core,' a very small Linux distro.

Usually, gaining persistency requires the execution of a single process, but the case with Bird Miner is a tad different because of the use of a virtualized environment. The Bird Miner will configure the system to run the Linux virtual machine on bootup, and then start the cryptocurrency mining malware.

However, the authors of the Bird Miner have not been as sneaky as they would like to think. This malware leaves many traces of its malicious activity, such as leftover processes and files. It is crucial that you make sure your machine has a reputable anti-malware suite which is updated regularly.