{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/appstore/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Calendar 2","Coinstash app"],"_cs_severities":["medium"],"_cs_tags":["cryptocurrency","miner","macos","appstore"],"_cs_type":"threat","_cs_vendors":["Apple","Qbix"],"content_html":"\u003cp\u003eIn March 2018, the \u0026ldquo;Calendar 2\u0026rdquo; application, distributed via the official Mac App Store, was discovered to contain hidden cryptocurrency mining capabilities. The application, developed by Qbix, utilized the \u0026lsquo;xmr-stak\u0026rsquo; miner to mine Monero (XMR) in the background, without clearly notifying users of this activity. The mining operation\u0026rsquo;s statistics were reported to a remote server. While the application did contain some level of disclosure regarding its mining activities, users expressed dissatisfaction. The application has since been removed from the Mac App Store following reports to Apple. The discovery highlights the challenges of vetting applications in official app stores and the potential for abuse of system resources for financial gain.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user downloads and installs the \u0026ldquo;Calendar 2\u0026rdquo; application from the official Mac App Store.\u003c/li\u003e\n\u003cli\u003eUpon launch, the application\u0026rsquo;s \u003ccode\u003eapplicationDidFinishLaunching:\u003c/code\u003e delegate method executes.\u003c/li\u003e\n\u003cli\u003eThis triggers a call to \u003ccode\u003e[MinerManager manager]\u003c/code\u003e which initializes a \u003ccode\u003eMinerManager\u003c/code\u003e object.\u003c/li\u003e\n\u003cli\u003eDuring initialization, the \u003ccode\u003erunMining\u003c/code\u003e method is invoked.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003erunMining\u003c/code\u003e method interacts with the \u003ccode\u003eCoinstash_XMRSTAK.framework\u003c/code\u003e, specifically calling the \u003ccode\u003e+[Coinstash_XMRSTAK.Coinstash startMiningWithPort:password:coreCount:slowMemory:currency:]\u003c/code\u003e method.\u003c/li\u003e\n\u003cli\u003eThis method executes the \u003ccode\u003exmr-stak\u003c/code\u003e miner binary located within the framework.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003exmr-stak\u003c/code\u003e miner connects to a mining pool (\u003ccode\u003epool.graft.hashvault.pro:7777\u003c/code\u003e) and begins mining Monero (XMR) using CPU resources.\u003c/li\u003e\n\u003cli\u003eThe application periodically sends mining statistics to \u003ccode\u003ecalendar.qbix.com/api/mining\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe \u0026ldquo;Calendar 2\u0026rdquo; application surreptitiously utilized users\u0026rsquo; CPU resources to mine Monero, leading to performance degradation and increased power consumption. While the exact number of affected users is unknown, the application\u0026rsquo;s presence on the Mac App Store suggests a potentially wide reach. Successful exploitation could lead to reduced system lifespan due to increased heat and stress on hardware components. The mining profits accrued by the developer, \u003ca href=\"mailto:greg@qbix.com\"\u003egreg@qbix.com\u003c/a\u003e, at the expense of unsuspecting users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creations for the execution of \u003ccode\u003exmr-stak\u003c/code\u003e from within application frameworks, using the provided Sigma rule, to detect potentially malicious cryptocurrency mining activity.\u003c/li\u003e\n\u003cli\u003eEnable process monitoring with command-line argument logging to identify processes connecting to known cryptocurrency mining pools (see \u003ccode\u003exmr-stak\u003c/code\u003e command-line arguments in the attack chain).\u003c/li\u003e\n\u003cli\u003eInspect network traffic for connections to \u003ccode\u003ecalendar.qbix.com/api/mining\u003c/code\u003e to identify applications reporting mining statistics.\u003c/li\u003e\n\u003cli\u003eDeploy the file integrity monitoring rule to track changes in application frameworks that may indicate the addition of mining capabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:21:00Z","date_published":"2024-01-03T18:21:00Z","id":"/briefs/2024-01-calendar-miner/","summary":"The 'Calendar 2' application, available on the official Mac App Store, was found to surreptitiously mine cryptocurrency on users' Macs, utilizing the 'xmr-stak' miner to mine Monero (XMR) and report mining operations to calendar.qbix.com.","title":"Calendar 2 Mac App Store Application Mines Cryptocurrency","url":"https://feed.craftedsignal.io/briefs/2024-01-calendar-miner/"}],"language":"en","title":"CraftedSignal Threat Feed — Appstore","version":"https://jsonfeed.org/version/1.1"}