Platonical & Tolypeutes

Discussion in 'macOS Mojave (10.14)' started by wesjt2006, May 25, 2019.

  1. wesjt2006 macrumors newbie

    Jan 21, 2013
    I just upgraded to Mojave. I noticed some unfamiliar processes trying to make internet connections (located in usr/local/bin) and at first, I assumed they were essential to Mojave and were just included with the update. But then I inspected each one with "Get info" and found that the created date for each is anywhere between 3-10 days prior to the update. Even stranger, upon searching with Google, I can't find info for any of them.

    There's a long list of unfamiliar files, but so far, the list of processes running or attempting to connect to the internet are as follows:


    actually, the list keeps growing as I type this, and they're all from usr/local/bin, so I'm stopping here. Are these normal for Mojave? I see a mostly consistent theme in the names, so I'm assuming they're harmless and from Apple, but considering there are no Google results, I'm just making sure.
  2. chrfr macrumors 604

    Jul 11, 2009
    Those are not part of the operating system. I'd suspect some sort of malware.
  3. Honza1 macrumors 6502

    Nov 30, 2013
    Someone just had similar issue here (like yesterday) with similarly colorfully named processes.

    Coin mining software. Malware. Somehow you got it on your computer - probably installed with some software. You need to find who did install it and remove it. Malwarebytes may help to identify.
    Typical source is browser extension with some supposedly useful function or some software downloaded from suspect sources.
    These can eat all your cpu - and possibly infect with worse malware over time.
  4. wesjt2006 thread starter macrumors newbie

    Jan 21, 2013
    Thank you! I'm not sure where these came from. I wish I could identify the source so other users could avoid this problem, but I'm not sure what I could have done in the past week to introduce coin mining software into my system, especially such a long list of them. There must have been 20+ processes running.

    But now I'm even more concerned. I don't see any of them flagged in my firewall software now. All the files were located in usr/local/bin, and now whenever I try to access usr/local, there is NOTHING in there. If I try "Go to Folder" and type usr/local/bin (which is what I did before), I just get the Mac "BONK" sound indicating that the action can't be completed. If I try to access it manually, I just find any empty folder.

    A few hours ago I had a plethora of strange files all located in one folder, and now it seems as though the folder itself doesn't even exist. Nothing in my firewall. Nothing at all... The farthest I can get to the original location (usr/local/bin) is usr/local. Nothing beyond that. Very strange and concerning

    I'll try malwarebytes or something similar and post an update
    --- Post Merged, May 25, 2019 ---
    ...Malwarebytes found nothing. Odd.

    I guess as a warning to anyone updating: you may run into 20+ malicious processes that somehow disappear on their own. Even the directory in which they are located disappears.

    Turning on my firewall to block 100% of connections unless I manually allow it. Also keeping Activity Monitor running for the next few days until I feel like this is resolved.
    --- Post Merged, May 25, 2019 ---
    Another strange issue I've never had before - mdworker, mdworker_shared, and MTLCompilerService each have a large number of processes running.

    mdworker_shared is apparently involved with Spotlight somehow. I can believe that Spotlight is possibly indexing all of my files after the recent update... but it's been HOURS. Not sure what to make of it. And from what I can find in searches, it seems to be an active process that only runs multiple instances if you have a large number of Finder windows open. I have NO Finder windows open, but mdworker_shared is running 30 instances.

    MTLCompiler seems to be related to Metal and graphics processing for games. I'm running NOTHING. I don't even have games installed. Not video exiting software. Nothing. The only intensive application I have is Logic Pro X, and it's not even open, and I can't imagine why it would cause 10 instances of MTLCompiler to run.

    Not sure if these are actual issues, but I've never experienced either of these problems before the update, and considering the appearing/disappearing coin mining malware, it's worth noting.
  5. chrfr macrumors 604

    Jul 11, 2009
    I'd suggest running the app called EtreCheck and posting the report here. It'll show what's running and loaded at startup, which may look familiar to someone here.
  6. Honza1 macrumors 6502

    Nov 30, 2013
    I would like to point out, that if you have used original Apple installer - downloaded from Apple directly - to upgrade to Mojave, you surely did not get the coin mining software infection from that installer. It just does not happen, not with Apple installers. We would have known about it. So this is NOT due to "upgrade to Mojave". It may have happened at the same time.

    Which brings up question on what else was done at that time and if that has caused this somehow. Was the installer downloaded/obtained from other source? What else was upgraded at the same time? Could anything there be source of this malware? Was something "side loaded" at that time? May be someone compromised source of one of existing Apps on your computer, it was upgraded for Mojave after your upgrade and that started this issue? This did happen already - someone bought App (or compromised its upgrade server) and started to distribute coin mining software with an update to the app.
    The fact that Mojave did not protest and was running obviously bad software means, it had to get approval to run it - and that suggests an App got permission to run itself and was abusing it to spawn coin mining software.

    Anyway, what you see on your system is really weird. I would blast the system by now and completely reinstall from scratch - that is boot to internet recovery and reformat the main drive. That is AFTER making backup of my data. And move only my data files, install all applications from original sources. Very carefully I would verify all Apps, if I can trust them.

    Basically, what you have seen is NOT normal, it does not happen to others, it is unique to your system. Or we would have "me too" here already many, many times.

Share This Page

5 May 25, 2019