How hackers can hijack your Mac’s processor via Cryptojacking
When the fans on your Mac are working overtime (and even making a lot of noise) to keep your computer cool, and the battery seems to be performing poorly with each charge, then you may be encountering the results of cryptojacking. Keep in mind that these experiences can also be the result of other factors. For instance, hot weather can affect your Mac’s ability to cool and run properly. Also, audio/video processing can cause your Mac to take a dive in performance—especially when engaged in a lot of simultaneous processes. But you can’t rule out the possibility that you have been a victim of cryptojacking. We will explore the concept of cryptocurrency and how the mining of cryptocurrency may be impacting the performance of your Mac Cryptojacking: Malware with a Friendly Face Cryptojacking is the ability to take advantage of your Mac’s processor to make money. The goal of cryptojacking is to use your Mac’s processing power to solve complex mathematical equations to unlock access to cryptocurrency. Each solved equation will be worth coins or fractions of coins in the targeted cryptocurrency the hacker is mining. It’s called cryptojacking because this mining of cryptocoins via the use of your Mac’s processor is being done without your consent. But first, let’s take a moment and discuss the pursuit of bitcoins, so you can understand why hackers are cryptojacking people’s Macs for their processing power. Coin mining is simply the process by which people obtain a well-known cryptocurrency called Bitcoins. When coin mining first began, all a computer had to do was complete a simple mathematical task for the user to earn coins. As cryptocurrency grew in popularity, the mathematical equations that had to be performed became more difficult to perform by a single computer in a reasonable amount of time. Therefore, people began using specialty-made computers that worked together to solve the equations and gain cryptocurrency within a decent amount of time. Coin mining increased in difficulty as the demand for cryptocurrency grew, which meant people could no longer use a simple computer to solve the equations anymore. Coin mining now requires computers specifically designed to work together to solve individual parts of the equation. This notion of using various computers to work on a specific part of the equation has led to the onset of cryptojacking. Hackers discovered they could have multiple computers working for them to solve specific parts of a complex equation by installing mining software onto the computers of unsuspecting users. Then, the hacker takes over that person’s computer processor without the person’s consent and starts performing various processes to gain cryptocoins. Types of Cryptojacking There are two ways cryptojackers take over a person’s computer to use coin mining. software. One less commonly used way is to introduce the mining app through traditional Trojan malware. The trojan will imitate a well-known app. Once the unsuspecting user has downloaded the imitation app, the coin mining software gets installed and goes to work coin mining. The other (and more common) way Mac users become prey to cryptojacking is by visiting a hacked website. Hackers use JavaScript because it can run on all web browsers. All the cryptojackers need to do to implant the mining software is either input the JavaScript mining code into a website that’s been hacked or input the JavaScript in ads that will be placed on several websites. Once you go to the hacked website, your Mac will be cryptojacked and will start running the cryptocurrency mining code. The second and more common approach to cryptojacking a Mac offers hackers many benefits. For starters, the process is relatively simple to implement because all they need to do is create and place an ad with an online advertising service that will spread the ad to multiple websites. Unlike the less common approach, the hacker doesn’t have to convince the user to download and use an app to start running the mining code. The ad on the webpage requires no installation code. The browser used to access the website will continue running the mining code while the webpage is open. How Can You Tell Cryptojacking is Happening to Your Mac The art of cryptojacking is in its infancy stage, so the methods to implement it all tend to use JavaScript. JavaScript uses a lot of your computer’s power and rapidly increases CPU usage. You can use the activity monitor app that comes with your Mac to discover the culprit behind the excess memory usage. To use the app:
Go to /Applications/Utilities and select Activity Monitor.
Select the CPU tab in the Activity Monitor window.
When you select the CPU in the Activity Monitor window, you will see a graph at the bottom of the window that displays the CPU usage. Any time you go to the internet and open a web page, you will see the usage go up on the graph while the page is loading. Once the page is loaded, the usage graph returns to normal. However, when you go to a web page that has cryptojacking taking place, you will see the CPU usage on the graph go up very fast and remain that way the whole time you are on the web page. When you leave the website or close your web browser, you will see the CPU usage drop back to normal. If you don’t want the Activity Monitor window open on the desktop while working, you can always click on the Activity Monitor dock icon to show the CPU usage history. Just select Dock Icon from the Activity Monitor menu and close the current Activity Monitor window.
An example of a page that impacts CPU usage because of cryptocurrency mining is TheHopepage.org (ran by UNICEF). Unlike the illegal pages that cryptojack your Mac without your consent, this page asks for your consent to have some of your Mac’s processing power (that you set yourself) to mine for cryptocurrency as donations to provide food, water and vaccinations for children. When you close the web page, the website is no longer mining from your computer. Other sites that are involved in cryptojacking usually don’t ask for your permission and tell you why they want to use some of your computer’s processing power.
Cryptojacking Prevention Since cryptojacking involves the use of JavaScript, you can use ad-blocking browser extensions to protect your computer from most cryptojacking websites. For example, you can use MinerBlock, No Coin, Adblock (and Adblock Plus) to help combat cryptojacking attempts on your computer. These extensions have a working database of sites that utilize cryptojacking methods. However, not all ad blocking extensions prevent cryptojacking, so you may have to check the setting of the extension you use (if you choose one not already mentioned above) to see if it has a cryptojacking prevention tool. You can also use anti-malware apps (like the premium version of Malwarebytes) that have cryptojacking prevention features that prevent cryptojacking sites like Coinhive from using your Mac. Coinhive is a popular coin mining service that employs the use of JavaScript code to take a cut of a website’s generated cryptocurrency. There are also websites that heartily use Coinhive to generate cryptocurrency on their sites. When it comes to the less common technique of cryptojacking—using an app—the more popular apps used to be Miner-D, DevilRobber and Coinbitminer until Apple created a security update that prevented these apps from being successful. Nowadays, you won’t find many mining apps around like mshelper, a cryptojacking app that has not yet been figured out as to how it works. One thing IT scholars do know is that mshelper tends to work in conjunction with other downloaded apps (like Flash updater).
You can use an anti-malware app to remove mshelper, but your Activity Monitor app should also work. Just follow these steps:
Go to /Applications/Utilities and select Activity Monitor.
Select the CPU tab in the Activity Monitor window.
In the Search field, type mshelper and hit return.
If you don’t see anything listed from your search, then that means the app is not present on your Mac.
If you do see “mshelper” listed from your search, then that means the app is, present on your Mac. Select the mshelper app from the list and then select the Force Process to Quit button (the button with the circle and an “X” going through it) found at the top left section of the Activity Monitor toolbar.
When the app has stopped, you will now need to remove two files from your Mac:
Go to Finder and select /Library/LaunchDaemons/.
Find the file named com.pplauncher.plist, and delete it.
To find the second file that needs deleting, go to Finder and select /Library/Application Support/.
Find the file named pplauncher, and delete it.
Make sure you are searching the startup drive’s Library folder and not your personal Library folder. The Friendly Side of Cryptojacking Cryptojacking is a friendlier type of malware because it only uses your computer’s processor and does not try to damage your computer. Also, this type of malware is not designed to steal personal information or ransom your data. Since the increase in cryptojacking, there has been a decrease in ransomware attacks because hackers tend to get caught more often while using ransomware than they do while using coin mining software. Also, there is an increase in websites that offer consensual cryptomining opportunities to decrease the presence of ads on their websites. For example, those who read Salon have probably observed the opportunity to remove ads from their view of the site by consenting to cryptomining. Since Salon’s coin mining is in the beta stage, it probably won’t be a permanent substitute for ad revenue. However, it is noteworthy to see how some sites are using cryptomining without stealing the use of someone’s computer processor.