A large number of Mac users have discovered that a process called “mshelper” takes up their CPUs and batteries. In fact, this is a Monero mining malware.
“The malware became public knowledge in a post on Apple’s discussion forums, where the “mshelper” process was found to be the culprit. Digging deeper, it was discovered that there were a couple other suspicious processes installed as well. We went searching and found copies of these files.” via analysis published byMalwareBytes.
Malwarebytes researchers analyzed the mshelper malware and although it failed to determine the mode of transmission, counterfeit Flash Player installers, malicious documents, or pirated software should be the main channel.
The program is a file named pplauncher, protected by a boot daemon (com.pplauncher.plist), developed by Golang, and relatively large (3.5 Mb).
“Using Golang introduces significant overhead, resulting in a binary file containing more than 23,000 functions. Using this for what appears to be simple functionality is probably a sign that the person who created it is not particularly familiar with Macs.
Although the mshelper process is actually a legitimate piece of software being abused, it should still be removed along with the rest of the malware,” concludes Malwarebytes.
“This malware follows other cryptominers for macOS, such as Pwnet, CpuMeaner, and CreativeUpdate. I’d rather be infected with a cryptominer than some other kind of malware, but that doesn’t make it a good thing.”
Users can manually remove the malware by deleting these two files and rebooting their devices:
- /Library/LaunchDaemons/com.pplauncher.plist
- /Library/Application Support/pplauncher/pplauncher
