Jump to content

OSX.Birdminer Suspicions on Big Sur m1 and Intel Macs


Recommended Posts

Hi,

I suspect a miner running on two of my Mac. First, on my Mac mini (m1), Malwarebytes has detected OSX.birdminer with 5 locations:

Hebrew = /Library/Application Support/Hebrew

Metachlamydeae =  /Library/Application Support/Metachlamydeae

Hebrew = /usr/local/bin/Hebrew

Metachlamydeae =/usr/local/bin/Metachlamydeae

Mithraeum = /usr/local/bin/Mithraeum

The thing is, It detected these on the m1 Mac, but not on the Intel Mac I have. I use Malwarebytes premium on the Intel Mac and the trial on the m1 Mac. I suspect the malware to come from my ssd I connected to both (from a dmg file).

OS: macOS Big Sur (both devices)

 

After quarantining the files and restarting the m1 Mac as suggested, I did a rescan and Malwarebytes detected nothing. But I see the "error" message so I had doubts about It. 

Then I've checked the locations and the files were gone.

Here are my concerns: On the Intel Mac, Malwarebytes premium detects nothing. But the thing is, I did exactly the same installations on both devices, even more than on the m1 Mac...

Then, I'd like to be sure that nothing is running on the m1 as well, after having these error messages. I surely did a restart for both and a scan and both detected nothing.

Thanks for your help I really appreciate It, and hopefully this will help other people in the same situation.

 

m1 report (1).jpg

m1 report (2).jpg

Link to post
Share on other sites
  • Staff

Hello @ImDamien,

To review the macs status, please run our support tool on both macs and send us the zip file it creates on your desktop via direct message via this forum or create a support ticket https://support.malwarebytes.com/hc/en-us/requests/new

 

Support tool for Mac > https://support.malwarebytes.com/hc/en-us/articles/360038519834-Upload-logs-to-your-ticket-using-the-Malwarebytes-Support-Tool-for-Mac

Link to post
Share on other sites
  • Staff

Hi @ImDamien,

Thank you for providing the report to support team. Our support team will contact you as soon as possible.

Meanwhile, please provide us below information if possible.

- What app were installed that triggered the issue?

- Did you turn off the System Integrity Protection ( SIP ) to install the app on m1 mac?

- The above detection screenshot says the removal was failed, please let us know if you have removed the files manually after detection was shown.

 

Link to post
Share on other sites

1. Apps that triggered the issue was probably dmg installers from audio software plugins. I saw a "SystemCheck" and "Installer" disks appearing while installing the dmg, so I've instantly ejected both. These were containing private folders (bin, var,...)

I've used Malwarebytes to detect It on the m1. But Malwarebytes detected nothing on the Intel while there were viruses (adwares) and both Macs were using the same files so It's strange the detection worked for the m1 only.

2. No, SIP always On, both devices

3. Not manually, I verified the location and both disappeared after the restart, even if Malwarebytes said "error".

Link to post
Share on other sites
  • Staff
1 hour ago, ImDamien said:

3. Not manually, I verified the location and both disappeared after the restart, even if Malwarebytes said "error".

Am I reading correctly that these files have disappeared, and are no longer on the hard drive? If so, one possible explanation for the error is that something else removed those files during the scan, after the scan had detected them but before you attempted to remove them. This could be Malwarebytes' own real-time protection, which acts independently of any manual or scheduled scans and has the potential to quarantine files during a scan. It could also be some other third-party antivirus scanner, if you have one installed.

Link to post
Share on other sites
  • Staff
18 hours ago, ImDamien said:

Here are my concerns: On the Intel Mac, Malwarebytes premium detects nothing. But the thing is, I did exactly the same installations on both devices, even more than on the m1 Mac...

I haven't tested this, but it's possible that BirdMiner won't install on an M1 Mac. If it's not getting detected, it's almost certainly fine.

Link to post
Share on other sites
38 minutes ago, treed said:

Am I reading correctly that these files have disappeared, and are no longer on the hard drive? If so, one possible explanation for the error is that something else removed those files during the scan, after the scan had detected them but before you attempted to remove them. This could be Malwarebytes' own real-time protection, which acts independently of any manual or scheduled scans and has the potential to quarantine files during a scan. It could also be some other third-party antivirus scanner, if you have one installed.

I think It could be cleanmymac or Malwarebytes real time protection, but I usually get a notification for these things usually. Maybe this is what happened after all, notifications don't work sometimes.

Link to post
Share on other sites
  • Staff

Well, in any case, it's very unlikely that exactly the same thing would be detected on one machine and fail to be detected on the other, so there's likely to be some reason that the malware wasn't installed on the Intel machine. It could be you just didn't install the same thing there, or perhaps it encountered some kind of error on the Intel machine.

Link to post
Share on other sites
6 minutes ago, treed said:

Well, in any case, it's very unlikely that exactly the same thing would be detected on one machine and fail to be detected on the other, so there's likely to be some reason that the malware wasn't installed on the Intel machine. It could be you just didn't install the same thing there, or perhaps it encountered some kind of error on the Intel machine.

I may have an idea why. I saw two dmg disks appearing from nowhere when I was running a suspicious pckg file. (Yes, we have teachers that give us suspicious cracks to download for doing homework because they have no budget to pay the softwares whatever...)

The dmg files were something like "System Check" and "Installer", containing custom private folders. They appeared exactly when I was running the pckg installer. So in 1 second I've ejected them because I was really careful and ready to act if something goes wrong.

Someone told me this is why It probably didn't install, but first I'm not sure, and secondly on the Intel Mac I had adwares on the Intel Mac anyway called Gnutls and Lucritius, and 3 or 4 others I don't remember the name because I've deleted these files instantly. The location were /Library/Application Support, and these folders were locked. Malwarebytes didn't detect them and I'm pretty sure that It's not system folders.

 

Link to post
Share on other sites
2 minutes ago, treed said:

Without more information about those files, I can't comment on them. I assume you don't still have copies of them?

No, sorry the only folders I have are the miners that were on the M1 In my backup and I can't send them.

 

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.