‘Bird Miner’ Cryptominer Targeting Mac Users Who Download Pirated Software

Last updated June 23, 2021
Written by:
Bill Toulas
Bill Toulas
Infosec Writer

According to a report by Malwarebytes' researchers, there’s a new crypto-miner called 'Bird Miner' that targets Mac systems through an 'Ableton Live 10' torrent. The particular music production software costs several hundred US dollars, so many people are on the look for cracked versions that they can download without paying a dime. However, the dangers that lurk via torrents like this one have been repeatedly documented, and this is another case that underlines them. The size of the downloaded archive is 2.6 GB, and it contains shell script launch daemons that install obfuscators, system checkers, anti-snoopers, and a lot more that isn’t part of the Ableton Live 10 suite.

Since crypto-miners need CPU resources to run, it is essential for the malware to hide itself and its activities from the victim. So, the first thing that it does is check whether the Activity Monitor is running or not. If the system tool isn’t running, and if the CPU usage is below 85%, the malware proceeds by running a Qemu instance. Qemu is an open source operating system virtual box that can load and run OS image files such as .img, .iso, or .dmg. Qemu loads two .dmg images that are a custom version of 'Tiny Core' Linux, which then launch 'xmrig', the crypto-mining tool.

OSX.BirdMiner-Tiny-Core-1-600x352

Image source: blog.malwarebytes.com

While the researchers first spotted the Bird Miner installers in the pirated Ableton Live 10 torrents, there are now more files infected with it. Users on Reddit report the same type of malware being distributed through the VST Crack website during the last four months, and possibly even longer. While Bird Miner for Mac tries to hide by running inside Qemu, this is the same element that introduces its operational inefficiency. If it was to run natively instead of being emulated, it would yield more for its masters.

If you want to stay safe from this type of danger, you can follow the simple practice of not downloading pirated software via torrents. These sources of pro-grade tools are very often infected with dangerous malware, and they are not worth the risk. If you have to do it no matter what, at least make sure that you’re using an up-to-date anti-virus from a reputable vendor. Finally, perform periodical checks on what is installed on your system, and if you see something that you don’t recognize like the Qemu tool, start investigating to find out how it got there.

Have you ever had an experience with a virtual box malware on MacOS? Share the details with us in the comments down below, or on our socials, on Facebook and Twitter.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: