WTFMiner

Summary
A sneaky coinminer embedded within pirated applications
Class
Miner
Class Summary
CoinMiner (or cryptojacking) malware utilizes a system's resources to mine cryptocurrencies without user consent. It may enter the system through malicious downloads or phishing attacks and has a record of being embedded within pirated software downloaded from the internet. To prevent cryptojacking, ensure your web browser and security software are up-to-date, use strong passwords, and be cautious when downloading files or visiting unfamiliar websites.
Description

WTFMiner is an evasive cryptojacking malware spreading through pirated macOS apps. Its origins can be tied back to a torrent uploader who bundled the miner into multiple pirated macOS applications since 2019. By obtaining copies, Jamf charted its incremental development across three generations, each version employing additional stealth techniques. It uses dark web routing for stealthy communication, obfuscates itself as legitimate processes, and shuts down when Activity Monitor is opened. Latest variants avoid writing persistence to disk and rely on users launching the trojanized apps to initiate mining.

References
Example Hashes
  • c19e78df3b3462064b9d78bc138674a7e8df28c7
    VirusTotal
  • 7628d90cfd311bfd4997729a232ca77a6d443619
    VirusTotal
  • 62ed66c1835ef5558ce713467f837efde508d5e4
    VirusTotal
  • 69fd812cf3760dc3dff5d41972cc635de9a0844d
    VirusTotal
  • 53fd50b23372a73e74e7cdc370f51ac560a1130f
    VirusTotal
  • c56046c322316233d23db034670496756a6942fe
    VirusTotal