Home > Cyber News > Creative.Update Mac Miner Distributed via MacUpdate

Creative.Update Mac Miner Distributed via MacUpdate

A new cryptocurrency miner delivered through MacUpdate has been uncovered by security researchers. The malware which was discovered by SentinelOne researcher Arnaud Abbati has been dubbed OSX.CreativeUpdate. The miner can reside in the background of the system and use its CPU to mine Monero.

The Creative.Update Mac miner was distributed through a hack on the MacUpdate website. The site was hacked to deliver modified copies of Firefox, OnyX and Deeper.

Related Story: WaterMiner Monero Miner Is the Newest Cryptocurrency Malware

Creative.Update Mac Miner: Details of Distribution

The miner is a Platypus dropper that downloads a miner from Adobe Creative Cloud servers. Platypus itself is an open-source developer tool that creates macOS apps using various scripts. The miner is bundled with bad copies of Firefox, OnyX and Deeper, researchers say. The miner tries to open the apps before starting itself. This is done so that the miner lays low and doesn’t attract the attention of the users.

This behavior, however, is not always successful. Let’s take the OnyX app, which will only run on Mac OS X 10.7 and higher. In order to run, the fake copy needs macOS 10.13 meaning that the miner will be activated on systems 10.7-10.12. The fake app, however, will not open to conceal the malicious process.

Things get even messier with Deeper, as hackers used an OnyX app instead of Deeper by mistake leading to the malware failing to run.

As for the MacUpdate website – the editors explained that they were fooled by the hackers to provide links to the malicious bundles. Consequently, the editors provided instructions on how to proceed to remove the miner malware.

Related Story: How to Remove Bitcoinminer.sx Miner Virus from Your Computer

This is what should be done:

  • Delete all copies of the above-mentioned apps;
  • Download and install clean copies;
  • In Finder, open a window for the home directory using Cmd+shift+H;
  • In case the Library folder is not displayed, hold down the Option/ALT key, then click on the Go menu and select Library;
  • Locate the mdworker folder;
  • Delete the entire folder;
  • Locate the LaunchAgents folder and delete MacOS.plist and MacOSupdate.plist;
  • Empty the Trash bin and restart the operating system.

It should be noted that the download links for the malicious apps were active from February 1 to February 2, meaning that all users that downloaded in this short period should follow the steps above.

What is most troubling about this story is MacUpdate’s lack of verification of the products it distributes. This is a major security failure that should not be overlooked by users. It may be a better idea to go directly to the official Mac App Store for any software downloads.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree