{"id":45385,"date":"2022-02-21T00:00:00","date_gmt":"2022-02-21T00:00:00","guid":{"rendered":"urn:uuid:8464dd68-1d5c-1b0b-f1a2-b4cb06cf4d4b"},"modified":"2022-02-21T00:00:00","modified_gmt":"2022-02-21T00:00:00","slug":"latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\/","title":{"rendered":"Latest Mac Coinminer Utilizes Open-Source Binaries and the I2P Network"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/b\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\/Mac%20coinminer%20banner.jpg\"><!-- OneTrust Cookies Consent Notice start for trendmicro.com --><!-- OneTrust Cookies Consent Notice end for trendmicro.com --> <!-- Begin mPulse library --> <!-- END mPulse library --> <head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width\"> <meta name=\"description\"> <meta name=\"robots\" content=\"index,follow\"> <meta name=\"keywords\" content=\"malware,endpoints,research,articles, news, reports\"> <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge,chrome=1\"> <meta name=\"template\" content=\"article1withouthero\"> <meta property=\"article:published_time\" content=\"2022-02-21\"> <meta property=\"article:tag\" content=\"malware\"> <meta property=\"article:section\" content=\"research\"> <link rel=\"icon\" type=\"image\/ico\" href=\"\/content\/dam\/trendmicro\/favicon.ico\"> <link rel=\"canonical\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/b\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network.html\"> <title> Latest Mac Coinminer Utilizes Open-Source Binaries and the I2P Network<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/b\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network.html\"><br \/>\n<meta property=\"og:title\" content=\" Latest Mac Coinminer Utilizes Open-Source Binaries and the I2P Network\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/b\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\/Mac%20coinminer%20banner.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\" Latest Mac Coinminer Utilizes Open-Source Binaries and the I2P Network\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/b\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\/Mac%20coinminer%20banner.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"51.353567969002\"> <!-- Page Scroll: Back to Top --> <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a> <!-- \/* Data Layer *\/ --> <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"2106076620\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"8.286312849162\">\n<div class=\"article-details\" role=\"heading\" readability=\"36.069832402235\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Malware<\/p>\n<p class=\"article-details__description\">A Mac coinminer has been spotted using open-source components in its routine and the I2P Network to hide its traffic. We dive into old iterations of this malware, and also analyze the newest version. <\/p>\n<p class=\"article-details__author-by\">By: Luis Magisa <time class=\"article-details__date\">February 21, 2022<\/time> <span>Read time:&nbsp;<\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"45.392819429778\">\n<div readability=\"36.5116156283\">\n<p>Coinminers are one of the more profitable types of malware for malicious actors, and they require little maintenance once installed on a victim\u2019s device. The malicious actor can have a coinminer masquerade itself as a legitimate app, trick susceptible users into running it on their systems, and just wait for the profits to roll in. In this light, it would be in the best interest of developers to put in the work and continuously improve these miners.<\/p>\n<p>In this post, we share the results of our analysis of a coinminer sample sourced in early January 2022.&nbsp; This sample uses several modified open-source components that the malicious actor modified for their purposes. The sample was also found using <a href=\"https:\/\/i2pd.website\/\" target=\"_blank\" rel=\"noopener\">i2pd<\/a> (aka I2P Daemon) to hide its network traffic. I2pd is a C++ implementation of the Invisible Internet Protocol or <a href=\"https:\/\/geti2p.net\/en\/\" target=\"_blank\" rel=\"noopener\">I2P<\/a> client. I2P is a universal anonymous network layer that allows for anonymous end-to-end encrypted communications \u2014 the participants do not reveal their real IP addresses. Previously, other Mac malware samples (<a href=\"https:\/\/grahamcluley.com\/mac-malware-uses-tor-obtain-access-systems\/\" target=\"_blank\" rel=\"noopener\">Eleanor<\/a>, <a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/04\/new-osx-dok-malware-intercepts-web-traffic\/\" target=\"_blank\" rel=\"noopener\">DOK<\/a>, <a href=\"https:\/\/unit42.paloaltonetworks.com\/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer\/\" target=\"_blank\" rel=\"noopener\">Keranger<\/a>) used Tor to hide their network activity, so this usage of i2pd is new.<\/p>\n<p><span class=\"body-subhead-title\">Arrival of the coinminer on a device<\/span><\/p>\n<p>The main malware sample is detected as Coinminer.MacOS.MALXMR.H (SHA 256 9518906dc416de6c6a5d17479244cf698b062c1d6b4425d86ee6895ce66c7c39). It is a Mach-O file that was flagged by several vendors early since it contains XMRig-related strings that can be easily caught by sourcing tools such as Yara. XMRig is a command-line app for mining Monero cryptocurrency and is typically used by other malware to perform cryptomining because of its availability and ease of use.<\/p>\n<p>The main Mach-O sample was found to be ad hoc-signed, as seen in Figure 1. This means that the Mach-O binary will not easily run on Mac systems and might be blocked by Gatekeeper, which is a built-in security feature for macOS that enforces code signing.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/b\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\/Mac%20Coinminer%201.png\" alt=\"Figure 1. Digital signature for Mach-O sample, which has been ad hoc-signed\"><figcaption>Figure 1. Digital signature for Mach-O sample, which has been ad hoc-signed<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"34.5\">\n<div readability=\"14\">\n<p>We suspected that the Mach-O sample arrived packaged in a DMG (an Apple image format used to compress installers) for Adobe Photoshop CC 2019 v20.0.6. However, the parent file was not successfully sourced. We reached this conclusion based on the snippet of code in Figure 2, which was found in one of its dropped files. In this code, the sample attempts to launch a non-existent file in the \/Volumes path. It is important to note that for DMG files, they are mounted by default in the \/Volumes directory when double-tapped on macOS.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/b\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\/Mac%20Coinminer%202.png\" alt=\"Figure 2. Code snippet attempting to launch non-existent file\"><figcaption>Figure 2. Code snippet attempting to launch non-existent file<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p><span class=\"body-subhead-title\">Installation of the coinminer<\/span><\/p>\n<p>The main Mach-O sample (detected as Coinminer.MacOS.MALXMR.H) was found to contain several embedded Mach-O files. When executed, it leverages the AuthorizationExecuteWithPrivileges API to escalate privileges by prompting the user for credentials.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/b\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\/Mac%20Coinminer%203.png\" alt=\"Figure 3. Code snippet using AuthorizationExecuteWithPrivileges API to escalate privileges by prompting the user for credentials\"><figcaption>Figure 3. Code snippet using AuthorizationExecuteWithPrivileges API to escalate privileges by prompting the user for credentials<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/b\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\/Mac%20Coinminer%204.png\" alt=\"Figure 4. User prompt displayed during testing\"><figcaption>Figure 4. User prompt displayed during testing<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>The sample will then drop the following files into the system:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">\/tmp\/lauth<\/span><\/li>\n<li><span class=\"rte-red-bullet\">\/usr\/local\/bin\/com.adobe.acc.localhost<\/span><\/li>\n<li><span class=\"rte-red-bullet\">\/usr\/local\/bin\/com.adobe.acc.network<\/span><\/li>\n<li><span class=\"rte-red-bullet\">\/usr\/local\/bin\/com.adobe.acc.installer.v1<\/span><\/li>\n<\/ul>\n<p><b>lauth file used for persistence<\/b><\/p>\n<p>lauth is the Mach-O file responsible for creating the following file for the malware\u2019s persistence routine: \/Library\/LaunchDaemons\/com.adobe.acc.installer.v1.plist. It is this file that launches the \/usr\/local\/bin\/com.adobe.acc.installer.v1 on every startup.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/b\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\/Mac%20Coinminer%205.png\" alt=\"Figure 5. LaunchDaemon plist file\"><figcaption>Figure 5. LaunchDaemon plist file<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>The sample also attempts to launch the following non-existent file: \/Volumes\/Adobe Photoshop CC 2019 v20.0.6\/Adobe Zii 2019 4.4.2.app\/Contents\/MacOS\/.Patch.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/b\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\/Mac%20Coinminer%206.png\" alt=\"Figure 6. Code snipped of lauth Mach-O file\"><figcaption>Figure 6. Code snipped of lauth Mach-O file<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p><b>com.adobe.acc.installer.v1 file for launching binaries<\/b><\/p>\n<p>The file com.adobe.acc.installer.v1 is a Mach-O binary launched by com.adobe.acc.installer.v1.plist on every startup. Upon execution, it sleeps for 60 seconds then launches the following Mach-O binaries:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">\/usr\/local\/bin\/com.adobe.acc.localhost<\/span><\/li>\n<li><span class=\"rte-red-bullet\">\/usr\/local\/bin\/com.adobe.acc.network<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/b\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\/Mac%20Coinminer%207.png\" alt=\"Figure 7. Code snippet of com.adobe.acc.installer.v1.\"><figcaption>Figure 7. Code snippet of com.adobe.acc.installer.v1.<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p><b>com.adobe.acc.localhost used for mining routine<\/b><\/p>\n<p>The Mach-O binary com.adobe.acc.localhost is responsible for the mining routine. The file is a modified XMRig command-line app. It can be seen by typing <i>&#8211;help<\/i> or <i>&#8211;version<\/i> in the parameters when launching the app. The <i>&#8211;version<\/i> parameter displays the version of the XMRig binary, and the <i>&#8211;help<\/i> parameter displays the list and description of the parameters that can be used.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/b\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\/Mac%20Coinminer%208.png\" alt=\"Figure 8. Command-line information displayed when using --version parameter on the sample\"><figcaption>Figure 8. Command-line information displayed when using &#8211;version parameter on the sample<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>XMRig is an open-source, cross-platform command-line app used for mining cryptocurrency. A user can input their mining server address as well as the username\/password for the mining server from the command-line as parameters. Alternately, users can also load a JSON-formatted configuration file instead of using parameters.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/b\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\/Mac%20Coinminer%209.png\" alt=\"Figure 9. Command-line options for XMRig app taken from XMRig site, https:\/\/xmrig.com\/docs\/miner\/command-line-options\"><figcaption>Figure 9. Command-line options for XMRig app taken from XMRig site, https:\/\/xmrig.com\/docs\/miner\/command-line-options<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>For this sample, we cross-examined the file with the XMRig we downloaded from https:\/\/xmrig.com\/, and we were able to observe the following JSON-formatted config file in the com.adobe.acc.localhost binary. This embedded config file was not present in the other XMRig binaries we sourced.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/b\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\/Mac%20Coinminer%2010.png\" alt=\"Figure 10. Embedded JSON-formatted config file in com.adobe.acc.localhost\"><figcaption>Figure 10. Embedded JSON-formatted config file in com.adobe.acc.localhost<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>Here are the following notable entries in the embedded config file:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Mining server: 127.0.0.1:4545<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Username: pshp<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Password: x<\/span><\/li>\n<\/ul>\n<p>It should be noted that the mining server address seems invalid since the 127.0.0.1 address is a local host address.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/b\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\/Mac%20Coinminer%2011.png\" alt=\"Figure 11. Comparison for malware samples (right) and XMRig binary (left). Note the usage of the embedded JSON-formatted config file for the malware sample.\"><figcaption>Figure 11. Comparison for malware samples (right) and XMRig binary (left). Note the usage of the embedded JSON-formatted config file for the malware sample.<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p><b>Identifying \/usr\/local\/bin\/com.adobe.acc.network as a modified i2pd app<\/b><\/p>\n<p>Upon checking the readable strings in the com.adobe.acc.network Mach-O file, we were able to identify that it is a modified i2pd app. This finding is supported by the following display from the command line when using the <i>&#8211;version<\/i> or <i>&#8211;help<\/i> parameter.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/b\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\/Mac%20Coinminer%2012.png\" alt=\"Figure 12. Command-line information displayed when using --version parameter on the sample\"><figcaption>Figure 12. Command-line information displayed when using &#8211;version parameter on the sample<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"40.383060635226\">\n<div readability=\"25.924927815207\">\n<p>As stated previously, i2pd is an open-source alternate implementation of <a href=\"https:\/\/geti2p.net\/en\/\" target=\"_blank\" rel=\"noopener\">I2P<\/a>&nbsp;that is written in C++ (rather than Java).&nbsp;<\/p>\n<p>I2P is an anonymous network layer (implemented as a mix network) that allows for censorship-resistant, peer-to-peer communication. Anonymous connections are achieved by encrypting the user&#8217;s traffic (by using end-to-end encryption) and sending it through a volunteer-run network of roughly 55,000 computers distributed around the world. I2P can also be seen as an alternative to Tor.<\/p>\n<p>We compared the malware binary with the official binary with the same version downloaded from this link: https:\/\/github.com\/PurpleI2P\/i2pd\/releases\/download\/2.27.0\/i2pd_2.27.0_osx.tar.gz.<\/p>\n<p>Since the binary is around 10 MB, finding the malware routine is challenging. Because of this, we focused our attention on the readable strings and codes not found on the official version. We were then able to find the following suspicious string and the related code snippet: <i>e4ppgzueqjiam3qvhzffwraakvcgzrjp5dzl3xzv24w6q5rjr7kq.b32.i2p:4545I<\/i>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/b\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\/Mac%20Coinminer%2013a.png\" alt=\"Figure 13. Code snippet containing configuration information in com.adobe.acc.network. Note that the image was edited for easier viewing.\"><figcaption>Figure 13. Code snippet containing configuration information in com.adobe.acc.network. Note that the image was edited for easier viewing.<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.5\">\n<div readability=\"14\">\n<p>The following information was taken from the image in Figure 13:<\/p>\n<p>client: &#8220;&#8221;<\/p>\n<p>client.type: client<\/p>\n<p>client.address: 127.0.0.1<\/p>\n<p>client.port:4545<\/p>\n<p>client.destination: e4ppgzueqjiam3qvhzffwraakvcgzrjp5dzl3xzv24w6q5rjr7kq.b32.i2p:4545<\/p>\n<p>client.keys: transient<\/p>\n<p>We looked into the i2pd documentation and we were able to find some useful information from this link: https:\/\/i2pd.readthedocs.io\/en\/stable\/user-guide\/tunnels\/#client-tunnels.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/b\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\/Mac%20Coinminer%2014.png\" alt=\"Figure 14. Screenshot from i2pd documentation\"><figcaption>Figure 14. Screenshot from i2pd documentation<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>Based on the aforementioned information, we can conclude that the XMRig traffic to 127.0.0.1:4545 will be tunneled by i2pd to e4ppgzueqjiam3qvhzffwraakvcgzrjp5dzl3xzv24w6q5rjr7kq.b32.i2p:4545. We can view this connection using the lsof terminal command.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/b\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\/Mac%20Coinminer%2015.png\" alt=\"Figure 15. The lsof command shows the IP address and port being accessed by the sample.\"><figcaption>Figure 15. The lsof command shows the IP address and port being accessed by the sample.<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"37\">\n<div class=\"responsive-table-wrap\" readability=\"19\">\n<p>It should be noted that the site e4ppgzueqjiam3qvhzffwraakvcgzrjp5dzl3xzv24w6q5rjr7kq.b32.i2p:4545 can only be accessed through I2P.<\/p>\n<p><span class=\"body-subhead-title\">Discovering older samples<\/span><\/p>\n<p>We looked for other similar samples in VirusTotal and our sample collection using TLSH, Yara, and other tools. We were able to find the following samples that also uses i2pd to tunnel traffic to an I2P site to download possibly malicious samples.<\/p>\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\">\n<tbody readability=\"5\">\n<tr>\n<td><b>Sha256<\/b><\/td>\n<td><b>Date first seen<\/b><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>cbad9d6fd5b7d2e8860735e02f3bc54b9fc0d044df508f2293a60f2741ed7a66<\/td>\n<td>Oct 2019<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>cc483d9aa67048f7249f970337e329280b5ceb05053796ea44476e153e392686<\/td>\n<td>Feb 2020<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>f24da6301f95432a63eb98f8954e1da6f7275b73d0bde76052d66a6d2e587df5<\/td>\n<td>Mar 2020<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>42f982cde3d7aa9c5b86abe6c94119f7e4351fe84fe5ede41a1f1f2e0ab45be0<\/td>\n<td>Mar 2020<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>3028436248053280a93c3bedbefa65cacaf6e805e98a9bde09d858db974aab09<\/td>\n<td>May 2020<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;After analyzing the older samples, we found certain similarities:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">These samples were suspected to masquerade as Adobe Photoshop or Logic Pro X.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">All five samples use i2pd to access the same i2pd download server.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">The download server hosts several files.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Some samples utilize random file names and zero-byte padding to evade detection.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Four samples were observed to have a persistence routine. One sample attempts to overwrite the Mach-O executable in the installed Adobe Photoshop app.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">All samples were suspected to be packaged in a DMG file since these samples try to launch or copy from \/Volumes directory where DMG files are mounted by default.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">For the downloaded file with suffix \u201c_md5\u201d, its content is expected to be an md5 hash. The hash will be compared to the md5 hash of the other downloaded file. If they are not equal, the file with the \u201c_md5\u201d suffix will retry the download.&nbsp;<\/span><\/li>\n<li><span class=\"rte-red-bullet\">For the older samples, two tunnels were created but only 127.0.0.1:4546 is being used. The latest coinminer sample only creates one tunnel: 127.0.0.1:4545.<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/b\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\/Mac%20Coinminer%2016.png\" alt=\"Figure 16. lsof command shows the IP address and port being accessed by the older samples.\"><figcaption>Figure 16. lsof command shows the IP address and port being accessed by the older samples.<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"39.813987231573\">\n<div readability=\"26.862449216483\">\n<p>More details about these older samples can be seen in the <a href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/b\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\/Latest%20Mac%20Coinminer%20Utilizes%20Open-Source%20Binaries%20and%20the%20I2P%20Network.pdf\" target=\"_blank\" rel=\"noopener\">Appendix<\/a>.&nbsp;<\/p>\n<p><span class=\"body-subhead-title\">Conclusion<\/span><\/p>\n<p>In this blog, we investigated a coinminer sample that used several personalized open-source apps to augment its malicious routine. We found that even if the modifications were minimal, they seem to be effective. We also found that this malware leveraged i2pd to hide its network traffic from the untrained eye, a departure from other malware that use the better-known Tor.&nbsp;<\/p>\n<p>An investigation of previous iterations of the malware also showed its evolution these past few years. More importantly, we can use these findings to create the necessary security measures should this malware continue to evolve and spread in the future.<\/p>\n<p>For the indicators of compromise&nbsp;you may download this <a href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/b\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\/IOCs-Mac%20Coinminer.txt\" target=\"_blank\" rel=\"noopener\">document<\/a>, and the appendix can be downloaded <a href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/b\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\/Latest%20Mac%20Coinminer%20Utilizes%20Open-Source%20Binaries%20and%20the%20I2P%20Network.pdf\" target=\"_blank\" rel=\"noopener\">here<\/a>.&nbsp;<\/p>\n<p><span class=\"body-subhead-title\">MITRE Tactics, Techniques, and Procedures (TTPs)<\/span><\/p>\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\">\n<tbody readability=\"10.354460093897\">\n<tr>\n<td><b>Tactic<\/b><\/td>\n<td><b>ID<\/b><\/td>\n<td><b>Name&nbsp;<\/b><\/td>\n<td><b>Description<\/b><\/td>\n<\/tr>\n<tr readability=\"3.6896551724138\">\n<td>Persistence<\/td>\n<td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1543\/004\/\" target=\"_blank\" rel=\"noopener\">T1543.004<\/a><\/td>\n<td>Create or Modify System Process: Launch Daemon<\/td>\n<td>Launches Daemon created for persistence routine<\/td>\n<\/tr>\n<tr readability=\"4.7867298578199\">\n<td>Privilege Escalation<\/td>\n<td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1548\/004\/\" target=\"_blank\" rel=\"noopener\">T1548.004<\/a><\/td>\n<td>Abuse Elevation Control Mechanism: Elevated Execution with Prompt<\/td>\n<td>Leverages the AuthorizationExecuteWithPrivileges API to escalate privileges by prompting the user for credentials.<\/td>\n<\/tr>\n<tr readability=\"1.8701298701299\">\n<td>Impact<\/td>\n<td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1496\/\" target=\"_blank\" rel=\"noopener\">T1496<\/a><\/td>\n<td>Resource Hijacking<\/td>\n<td>Uses modified XMRig for cryptocurrency mining<\/td>\n<\/tr>\n<tr readability=\"1.8252427184466\">\n<td>Command and Control<\/td>\n<td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1090\/003\/\" target=\"_blank\" rel=\"noopener\">T1090.003<\/a><\/td>\n<td>Proxy: Multi-hop Proxy<\/td>\n<td>Uses modified i2pd to access darknet mining server<\/td>\n<\/tr>\n<tr readability=\"4.758064516129\">\n<td>Defense Evasion<\/td>\n<td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1222\/002\/\" target=\"_blank\" rel=\"noopener\">T1222.002<\/a><\/td>\n<td>File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification<\/td>\n<td>Uses chmod +x to modify dropped file execution privileges<\/td>\n<\/tr>\n<tr readability=\"3.712\">\n<td>Defense Evasion<\/td>\n<td><a href=\"https:\/\/attack.mitre.org\/techniques\/T1036\/005\/\" target=\"_blank\" rel=\"noopener\">T1036.005<\/a><\/td>\n<td>Masquerading: Match Legitimate Name or Location<\/td>\n<td>Dropped files have Adobe substring in the file name<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p> <!-- \/* Core functionality javascripts, absolute URL to leverage Akamai CDN *\/ --> <!--For Modal-start--> <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p> <!--For Modal-end--> <!-- Go to www.addthis.com\/dashboard to customize your tools --> <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/b\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A Mac coinminer has been spotted using open-source components in its routine and the I2P Network to hide its traffic. We dive into old iterations of this malware, and also analyze the newest version. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":45386,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9508,9513,9509],"class_list":["post-45385","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-endpoints","tag-trend-micro-research-malware","tag-trend-micro-research-research"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Latest Mac Coinminer Utilizes Open-Source Binaries and the I2P Network 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Latest Mac Coinminer Utilizes Open-Source Binaries and the I2P Network 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2022-02-21T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/b\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\/Mac%20coinminer%20banner.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Latest Mac Coinminer Utilizes Open-Source Binaries and the I2P Network\",\"datePublished\":\"2022-02-21T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\\\/\"},\"wordCount\":2001,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/02\\\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network.png\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Malware\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\\\/\",\"name\":\"Latest Mac Coinminer Utilizes Open-Source Binaries and the I2P Network 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/02\\\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network.png\",\"datePublished\":\"2022-02-21T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/02\\\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/02\\\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network.png\",\"width\":1427,\"height\":547},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Latest Mac Coinminer Utilizes Open-Source Binaries and the I2P Network\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Latest Mac Coinminer Utilizes Open-Source Binaries and the I2P Network 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\/","og_locale":"en_US","og_type":"article","og_title":"Latest Mac Coinminer Utilizes Open-Source Binaries and the I2P Network 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2022-02-21T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/b\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\/Mac%20coinminer%20banner.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Latest Mac Coinminer Utilizes Open-Source Binaries and the I2P Network","datePublished":"2022-02-21T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\/"},"wordCount":2001,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/02\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network.png","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Endpoints","Trend Micro Research : Malware","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\/","url":"https:\/\/www.threatshub.org\/blog\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\/","name":"Latest Mac Coinminer Utilizes Open-Source Binaries and the I2P Network 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/02\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network.png","datePublished":"2022-02-21T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/02\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/02\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network.png","width":1427,"height":547},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/latest-mac-coinminer-utilizes-open-source-binaries-and-the-i2p-network\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Latest Mac Coinminer Utilizes Open-Source Binaries and the I2P Network"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/45385","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=45385"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/45385\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/45386"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=45385"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=45385"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=45385"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}