CryptoMiner MACOS:Miner-AK [trj]

[thealfons]

Hi guys! I recently discovered that my mac was infected with this crypto-miner malware: CryptoMiner MacOS:Miner-AK [trj].

Avast informed me that it had discovered a cryptominer while I was executing this command at terminal.

Code: [Select]

#!/bin/bash
function clear {
LGC=`ps aux |grep "qemu-system-x86_64" |wc -l`
if [ $LGC -ge 2 ]
then
launchctl unload -w /Library/LaunchDaemons/com.modulesys.qemuservice.plist
launchctl unload -w /Library/LaunchDaemons/com.buildtools.tools-service.plist
launchctl unload -w /Library/LaunchDaemons/com.buildtools.system-monitor.plist
launchctl unload -w /Library/LaunchDaemons/com.systools.cpumonitor.plist
rm -f /Library/LaunchDaemons/com.buildtools.system-monitor.plist
rm -f /Library/LaunchDaemons/com.modulesys.qemuservice.plist
rm -f /Library/LaunchDaemons/com.buildtools.tools-service.plist
rm -f /Library/LaunchDaemons/com.systools.cpumonitor.plist
rm -rf /Library/Application\ Support/.Qemusys
rm -rf /usr/local/bin/.Tools-Service
rm -rf /Library/Application\ Support/.System-Monitor/
rm -rf /usr/local/*
fi
exit 0
}
clear;
I deleted already the files at .bin_sessions but it always comes back. Is there a way to find the culprit and delete it?

[Vladimirz]

Hi. Thanks for your report. Detection was corrected and will be updated during next vps update.
Cheers.