A new cryptocurrency miner delivered through MacUpdate has been uncovered by security researchers. The malware which was discovered by SentinelOne researcher Arnaud Abbati has been dubbed OSX.CreativeUpdate. The miner can reside in the background of the system and use its CPU to mine Monero.
The Creative.Update Mac miner was distributed through a hack on the MacUpdate website. The site was hacked to deliver modified copies of Firefox, OnyX and Deeper.
Creative.Update Mac Miner: Details of Distribution
The miner is a Platypus dropper that downloads a miner from Adobe Creative Cloud servers. Platypus itself is an open-source developer tool that creates macOS apps using various scripts. The miner is bundled with bad copies of Firefox, OnyX and Deeper, researchers say. The miner tries to open the apps before starting itself. This is done so that the miner lays low and doesn’t attract the attention of the users.
This behavior, however, is not always successful. Let’s take the OnyX app, which will only run on Mac OS X 10.7 and higher. In order to run, the fake copy needs macOS 10.13 meaning that the miner will be activated on systems 10.7-10.12. The fake app, however, will not open to conceal the malicious process.
Things get even messier with Deeper, as hackers used an OnyX app instead of Deeper by mistake leading to the malware failing to run.
As for the MacUpdate website – the editors explained that they were fooled by the hackers to provide links to the malicious bundles. Consequently, the editors provided instructions on how to proceed to remove the miner malware.
This is what should be done:
- Delete all copies of the above-mentioned apps;
- Download and install clean copies;
- In Finder, open a window for the home directory using Cmd+shift+H;
- In case the Library folder is not displayed, hold down the Option/ALT key, then click on the Go menu and select Library;
- Locate the mdworker folder;
- Delete the entire folder;
- Locate the LaunchAgents folder and delete MacOS.plist and MacOSupdate.plist;
- Empty the Trash bin and restart the operating system.
It should be noted that the download links for the malicious apps were active from February 1 to February 2, meaning that all users that downloaded in this short period should follow the steps above.
What is most troubling about this story is MacUpdate’s lack of verification of the products it distributes. This is a major security failure that should not be overlooked by users. It may be a better idea to go directly to the official Mac App Store for any software downloads.