Over the past couple weeks, multiple reports about cryptojacking and cryptocurrency-stealing Mac malware have surfaced. Apple calls this Trojan horse malware “Honkbox.”
Let’s examine what we know about this malware, and how to safely remove it from infected systems.
In this article:
- What is Honkbox’s history, and how was it discovered?
- What does Honkbox do to an infected computer?
- Who created Honkbox malware?
- What else is noteworthy about Honkbox malware?
- How can one remove or prevent Honkbox and other Mac malware?
- Honkbox indicators of compromise (IoCs)
- Is Honkbox known by any other names?
- How can I learn more?
What is Honkbox’s history, and how was it discovered?
Early last year, on February 21, 2022, Trend Micro researcher Luis Magisa wrote what may have been the first public report about the malware that later became known as Honkbox. Magisa described the malware as the “latest Mac coinminer,” noting that it “utilizes open-source binaries and the I2P network” (more on that in a moment).
On February 23, 2023, Jamf researchers published their own research, calling it “evasive cryptojacking malware” found in pirated Mac apps. According to their report, Jamf had been tracking recent developments of the malware family for a few months prior to publishing their research. Intego had also internally analyzed many Honkbox-related coin-miner malware samples months prior to Jamf’s write-up.
New variants of this malware initially came on Jamf’s radar during routine threat hunting, when they noticed that a Trojanized version of Apple’s Final Cut Pro included XMRig, which is cross-platform cryptocurrency mining software. (As an aside, Intego has previously written about a PUA in the Mac App Store that utilized similar mining software, XMR-Stak, in violation of Apple’s policies.)
The malware also employed Invisible Internet Project (I2P, or I2PD) technology (similar to Tor) to mask its bad network behavior, which included downloading payloads and sending any mined cryptocurrency to the malware maker. Notably, this is—to our recollection, and that of other researchers—likely the first Mac malware that has leveraged I2P. Both I2PD and XMRig are open-source utilities.
Jamf’s research team was able to locate the malware sample in the wild via a mirror of The Pirate Bay, a BitTorrent file distribution site. The same user who had shared the pirated and Trojanized copy of Final Cut Pro had also been offering a number of other apps illegitimately since August 2019. Some of these Trojan horses have included Apple’s Logic Pro X, Adobe Photoshop, Adobe Illustrator, Adobe Zii (a product activator), Ableton Live, as well as CleanMyMac X. SentinelOne’s Phil Stokes points to a November 1, 2019 Reddit post as the first known public request for help from a Honkbox-infected user.
Over time, the malware maker had found new ways of disguising its malicious behavior to better avoid detection by common antivirus software, such as the following example. Because crypto-mining takes a lot of processing power and can cause a computer to slow down significantly, the malware developer added a function to watch for the user to open Activity Monitor. Then, if the malware detected that Activity Monitor was open, it would instantly terminate the mining processes to prevent the user from figuring out what was causing the system slowdown. And, just in case the user were to use a third-party process monitor, the malware also disguised its processes in plain sight by naming them after legitimate Spotlight system processes,
Following Jamf’s report, Apple added signatures for this malware to XProtect, a bare-bones “anti-malware” feature built into macOS; Stokes noted that this was the first time in months (three months and twelve days, to be exact, between November 10 and February 22) since the last time Apple had updated its signatures. (This, by the way, is just one reason why it’s so important to use Mac antivirus software; Apple’s built-in protection is minimal, incomplete, and rarely updated.) While Trend Micro and Jamf hadn’t given the malware a unique name of its own, Apple first called it “HONKBOX” in its signatures, with three sub-variants: A, B, and C. Stokes did his own deep dive into the Honkbox malware, published on March 1.
What does Honkbox do to an infected computer?
Honkbox malware is distributed via Trojanized, pirated software. Its primary purpose seems to be using victims’ (pirates’) computers to mine for cryptocurrency on behalf on the malware maker. Cryptojacking—that is, unauthorized use of a computing device to mine for cryptocurrency—has a tendency to cause infected devices to slow down significantly. Cryptojacker malware may also cause devices to overheat.
Early variants of Honkbox established persistence, meaning they could relaunch themselves after an infected Mac had restarted. More recent Honkbox variants are stealthier, opting to only reactivate when a victim opens (or attempts to use) the pirated software. The malware intentionally tries to hide itself by using Apple process names, and also by suspending its mining processes whenever the user opens Activity Monitor to try to figure out why their system is running slowly.
Who created Honkbox malware?
The Pirate Bay user named “wtfisthat34698409672” is one known distributor of the malware. Given that Honkbox’s primary purpose appears to be cryptomining on behalf of the malware’s maker, it seems very likely that this user either is, or is a close associate of, the malware developer.
Mac malware developers these days typically code-sign (and get Apple to notarize) their malware to ensure that it will work properly on the latest versions of macOS. One Apple Developer ID that signed a variant of this malware used the name “Mucke N.S. Doo,” which is probably not a real name.
What else is noteworthy about Honkbox malware?
In macOS Ventura, it’s more difficult for a maliciously modified (Trojanized) app to run. Many of the pirated apps will refuse to run on macOS Ventura, although the malware itself does successfully run. This should seem suspicious to the user, but by the time they realize they’ve been duped, the malware has already started running on their system.
Users of macOS Ventura may see a dialog box similar to the following when a Trojanized app fails its code-signing check:
“Final Cut Pro” is damaged and can’t be opened. You should move it to the Trash.
This file was downloaded on an unknown date.
(Move to Trash) (Cancel)
Interestingly, the B and C variants do not install methods of persistence, meaning that the malware won’t automatically launch itself again after each reboot. Instead, the malware maker opted to make these variants run only when the user launches the Trojanized app. Due to the aforementioned changes in macOS Ventura, the malware will be active for much less time on Ventura than when run on previous macOS versions.
The fact that macOS Ventura users have somewhat increased protection against harmful app modifications is one of many reasons why running the latest version of macOS is essential for your security.
As mentioned previously, Honkbox seems to be the first Mac malware to leverage I2P, the Invisible Internet Project, as a means of hiding its network traffic. Magisa noted that in years past, some previous Mac malware has utilized Tor (aka TOR, The Onion Router) for this purpose, including KeRanger and Eleanor (2016) and Dok (2017).
How can one remove or prevent Honkbox and other Mac malware?
Intego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9, can protect against, detect, and eliminate Mac malware. Intego software detects components of this threat under the names OSX/Honkbox, OSX/CoinMiner, OSX/Miner, and OSX/Agent.
If you believe your Mac may be infected, or to prevent future infections, it’s best to use antivirus software from a trusted Mac developer. VirusBarrier is award-winning antivirus software, designed by Mac security experts, that includes real-time protection. It runs natively on a wide range of Mac hardware and operating systems, including the latest Apple silicon Macs running macOS Ventura.
If you use a Windows PC, Intego Antivirus for Windows can keep your computer protected from PC malware.
In general, it’s always a good idea to avoid downloading software (or other potentially pirated content) from torrents. See our related article about how torrent sites are a malware cesspool.
Note: Intego customers running VirusBarrier X8, X7, or X6 on older versions of Mac OS X are also protected from this threat. It is best to upgrade to the latest versions of VirusBarrier and macOS, if possible, to ensure your Mac gets all the latest security updates from Apple.
Honkbox indicators of compromise (IoCs)
Magisa and Stokes note the following file paths associated with Honkbox malware. Note that the tilde (~) indicates a particular user’s home folder, for example
Files with the following 171 hashes have been identified as affiliated with Honkbox-related malware campaigns:
Note that the first 131 file hashes listed above are SHA-256 hashes; the corresponding files are all available to security researchers via VirusTotal, except for one from Trend Micro’s report, namely
c0c4826e513239094c63382b5a726e056ae7f7759abc56bf807748ecfbfbb284. The next batch of 40 shorter SHA-1 hashes were included in Jamf’s write-up but were not available on VirusTotal at the time of this blog post’s publication.
Apple Developer IDs including the following have been used as part of this campaign:
MUCKE N.S. DOO (XFQL4XQZYW)
Command-and-control (C&C) domains and IP addresses that have been associated with related malware include:
A number of Dropbox URLs have reportedly hosted related Mac malware; these URLs are no longer active:
Network administrators can check recent network traffic logs to try to identify whether any computers on their network may have attempted to contact these domains, IPs, or URLs, which could indicate a possible infection.
Is Honkbox known by any other names?
Prior to Apple giving it the name Honkbox, this malware was mostly known by generic “CoinMiner” or “Miner” monikers.
While investigating other recent malware campaigns, our malware research team observed that a cryptocurrency stealer malware family that’s being called PureLand (or Vakksdr Stealer) matched our existing signatures for Honkbox. Therefore we have realigned our detection and consider these recent PureLand samples to be part of the Honkbox family. The lists of SHA-256 hashes, domains, IPs, and URLs above includes some related to PureLand.
Other vendors’ names for threat components related to this malware campaign may include variations of the following, among others:
A Variant Of OSX/CoinMiner.AC, A Variant Of OSX/CoinMiner.AD, A Variant Of OSX/CoinMiner.Q, A Variant Of OSX/CoinMiner.W, Application.MAC.Miner.AJB, Coinminer.MacOS.MALXMR.H, Gen:Variant.Trojan.MAC.PureLand.1 (2x), HackTool.XMRMiner!1.ADCC (CLASSIC), HEUR:Trojan-Dropper.OSX.Agent.gen, HEUR:Trojan-Dropper.OSX.Agent.m, HEUR:Trojan-Dropper.OSX.Padzer.e, HEUR:Trojan-Dropper.OSX.Padzer.f, HEUR:Trojan-PSW.OSX.Pureland.gen, Honkbox_A, Honkbox_B, Honkbox_C, MacOS:Agent-JM [Trj], MacOS:Agent-JQ [Trj], MacOS:Agent-WN [Drp], MacOS:Agent-XI [Trj], MACOS.HONKBOX.A, MACOS.HONKBOX.B, MACOS.HONKBOX.C, MacOS/CoinMiner.A, Malware.MacOS-Script.Save.e4825366, Malware.OSX/Agent.ctche, Malware.OSX/Agent.jfggl, Malware.OSX/Agent.zobat, Multios.Coinminer.Miner-6781728-2, OSX_CoinMiner.PFL, OSX.Trojan.Agent.5V7AH3, Osx.Trojan.Coinminer.Bgow, OSX.Trojan.Gen.2, OSX/Agent.CJ, OSX/Agent.G!tr, OSX/Agent.gixtd, OSX/Agent.wguen, OSX/CoinMine-BU, OSX/CoinMine-CS, OSX/CoinMiner.bdmlu, OSX/CoinMiner.ext, OSX/CoinMiner.pjtut, OSX/CoinMiner.qfokr, OSX/Honkbox.ext, OSX/Miner.AC!tr, OSX/Miner.gen, OSX/Miner.qt, OSX/Miner.shell, Other:Malware-gen [Trj], Password-Stealer (0040f1771), PUA.MacOS.PURPLEPROXY.MANP, PUA.MacOS.PURPLEPROXY.MSGEM20, RDN/Generic.osx, Riskware/Application!OSX, Script.Trojan.A7586096, TROJ_FRS.0NA103BM22, TROJ_FRS.0NA104A223, Trojan (0040f28a1), Trojan:MacOS/Multiverze, Trojan:MacOS/SAgent!MTB, trojan:OSX/Honkbox.ext, trojan:OSX/PureLand.ext, Trojan.CoinMiner.OSX.44, Trojan.Generic.D3056588, Trojan.Generic.D3EB7491, Trojan.GenericKD.50685320, Trojan.GenericKD.65762449, Trojan.I2pdMiner/OSX!1.D989, Trojan.MAC.Generic.111680, Trojan.MAC.Generic.111683, Trojan.MAC.Generic.111728, Trojan.MAC.Generic.111730, Trojan.MAC.Generic.11970, Trojan.MAC.Generic.D1B440, Trojan.MAC.Generic.D1B443, Trojan.MAC.Generic.D1B470, Trojan.MAC.Generic.D2EC2, Trojan.MAC.Miner.AF, Trojan.MAC.Miner.AS, Trojan.MAC.Miner.AT, Trojan.MacOS.PADZER.MANP, Trojan.MacOS.PADZER.MSMEK20, Trojan.MacOS.PADZER.MSMH321, Trojan.MacOS.PADZER.RSMSMEL20, Trojan.Malware.121218.susgen, Trojan.OSX.Agent.4!c, Trojan.OSX.Coinminer, Trojan.OSX.Generic.4!c, Trojan.Shell.Agent.cp, Trojan.Shell.Agent.CQ, Trojan.Win32.SHELL.VSNW05C23, Trojan/Bash.Generic.SC186845, Trojan/OSX.CoinMiner
How can I learn more?
For additional technical information about the Honkbox malware, including reverse-engineering analyses, you can refer to the detailed write-ups by Luis Magisa of Trend Micro, Matt Benyo, Ferdous Saljooki, and Jaron Bradley of Jamf and Phil Stokes of SentinelOne. See also Stokes’ follow-up tweet. We also acknowledge the research into PureLand from Daniel Stinson (see his tweet thread and hash list) and iamdeadlyz (see their tweet thread and write-up).
We briefly discussed Honkbox on episode 281 of the Intego Mac Podcast:
Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: