Hunting for Honkbox | Multistage macOS Cryptominer May Still Be Hiding

For the first time since November 2022, Apple last week released an update to its internal YARA-based malware file blocking service, XProtect. Version 2166 added several new signatures for a threat it labels “Honkbox”, a cryptominer characterized by its leverage of XMRig and the “Invisible Internet Project” (aka I2P). Apple’s update comes on the back of new research from Jamf, which itself builds on earlier research from other sources.

Honkbox is a multistage cryptominer with three identified variants that make novel use of the I2P project. The malware has been distributed on the PirateBay in cracked apps for at least three years by user wtfisthat34698409672. Many of the samples originate from trojanized versions of Logic Pro, but other popular creative applications have been abused including FinalCut, Adobe Zii, Photoshop, Illustrator and Ableton Live.

Honkbox has been circulating since at least 2019 and was likely first spotted in the wild by a reddit user questioning why what appeared to be Apple software was tripping over the macOS firewall.