Fake Adobe Zii On MacOS Steals Credit Card Info And Mines Monero

Fake Adobe Zii On MacOS Steals Credit Card Info

Just like technology, the cyber threats have become ubiquitous and becoming more aggressive with time. It is not new that cyber criminals work over different ways to attack your machine with malware. However, a recent incident was caught when a malware, posing to be Adobe Zii (a tool used to crack Adobe tools) was found stealing credit card information and mining Monero cryptocurrency over Mac OS systems. This is for sure is one of the most unusual ways to attack machines.


Img src: macdownload


Technical Analysis:

Upon scrutinizing its process, it was found that the malware comes on any target machine as ‘Adobe Zii.app’ file, which upon execution uses the automator.app to begin the Bash script codes from Adobe Zii.app\Contents\document.wflow.

Technical Analysis

IMG SRC: trendmicro


Must Read : Business Data Is Crucial: Keep It Safe!

When the copy of Adobe Zii.app was launched, it was observed that it downloads sample.app from hxxp://46[.]226[.]108[.]171:80/sample.zip, and saves it to the user directory ~/. Then, the contents are extracted and launched on the system. Here, it uses the original Adobe Zii.app to camouflage its ill activities in the background.

The research team also reveals that the malware connects to  hxxps://ptpb.pw/jj9a that  contains an encrypted Python script. This script checks the status of Little Snitch (a host-based application firewall for MacOS) status. If it’s found not active, the script then further connects to hxxp://46[.]226[.]108[.]171:4444/login/process.php.

How does fake Adobe Zii steals credit card info?

The uploadminer.sh consists of routines that are capable of identity theft from Google Chrome web browser. Target information includes origin URL, credit card, expiration date, username,and  password.


IMG SRC: trendmicro


The malware connects to hxxp://46[.]226[.]108[.]171/harmlesslittlecode[.]py and saves the Python script on your Mac at ~/Library/Application Support/Google/Chrome/Default. This script is used to display all the decrypted information from Google Chrome browser. Once the malware finds the desired data, it is collected as a .txt file and would be .zip-compressed along with Google Chrome cookies. The file then be saved as ~/Library/Application Support/Google/Chrome/Default/{username}.zip and simultaneously be uploaded to hxxp://46[.]226[.]108[.]171:8000.

Also Read : How To Bypass Credit Card & ATM Skimmers?

How does it mine the cryptocurrency?

The fake Adobe Zii malware downloads plist file from hxxp://46[.]226[.]108[.]171/com[.]apple[.]rig2[.]plist and stores it to ~/Library/LaunchAgents. This plist is used to run the xmrig2 to mine cryptocurrency.

The malware also downloads plist file from hxxp://46[.]226[.]108[.]171/com[.]apple[.]proxy[.]initialize[.]plist that contains Python commands that are similar to the one that checks the Little Snitch’s status and connects to the encrypted Empyre backend. To get it auto started, the plist files are loaded in the system through the launchctl command.

To mine the cryptocurrency, the malware connects to hxxp://46[.]226[.]108[.]171/xmrig2 and saves a file to /Users/Shared/xmrig2. The saved file works as a commandline app that is used to mine Monero specifically.


It uses below credentials to mine cryptocurrency on an infected machine.


Overall, the fake Adobe Zii may turn up to be an evil malware if it gets through your machine. It may collect all the information of your credit card and even ignite a mining process for Monero cryptocurrency. It is important that you keep your Mac machine intact with a dedicated anti malware for Mac and practice healthy browsing.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *