MacUpdate hacked to distribute Mac cryptominer
A well-known software download website for Mac devices, MacUpdate, was revealed to have been a victim of a cyber attack that resulted in them distributing cryptocurrency miners to their users. “The malware was spread via hack of the MacUpdate site, which was distributing maliciously-modified copies of the Firefox, OnyX, and Deeper applications. According to a statement posted in the comments for each of the affected apps on the MacUpdate website, this happened sometime on February 1,” Malwarebytes explain.
The attack was first noticed by security researcher Arnaud Abbati from cybersecurity company SentinelOne. Dubbed as OSX.CreativeUpdate by Abbati, the malware downloads a Monero miner from Adobe Creative Cloud servers, which is supposed to run in the background, without the user noticing.
Attackers infiltrated the MacUpdate website
Reportedly, attackers managed to infiltrate the MacUpdate website, where they installed modified copies of Firefox, OnyX and Deeper. Download links to those copies, which were actually cryptocurrency miners, were replaced to lead to malicious domains, rather than official app download sites. The URLs were also made to seem legitimate in case users were cautious enough to check them. OnyX and Deeper, both products of Titanium Software, should have led to titanium-software.fr, but instead, the download link was replaced with titaniumsoftware.org, which would not cause much suspicion when downloading. And while the legitimate Firefox would be downloaded from mozilla.net, the link was replaced with download-installer.cdn-mozilla.net, close enough to seem authentic.
The downloaded files also look pretty convincing and are .dmg files.
“In each case, the user is asked to drag the app into the Applications folder, as would the original, non-malicious .dmg files for those apps,” Malwarebytes researcher Thomas Reed explains.
Upon further examination, it was revealed that decoy copies of the legitimate apps were also in the malware.
“Once the application has been installed, when the user opens it, it will download and install the payload from public.adobecc.com (a legitimate site owned by Adobe). Then, it attempts to open a copy of the original app (referred to as a decoy app, because it is used to trick the user into thinking nothing’s wrong), which is included inside the malicious app,” Reed continues.
However, he explains that the process is not always successful. He notes that the fake OnyX app can run on MacOS X 10.7 (OS X Lion) and up, while the decoy OnyX will only run on macOS 10.13 (High Sierra). So if a user whose system is between 10.7 and 10.12 (Sierra) downloads the malicious app, they will get the malware, but the decoy app will not run, thus it would become very obvious something is not right. And when someone downloads the fake Deeper app, they will get OnyX as the decoy, making it difficult miss that some malicious activity is going on.
MacUpdate acknowledged the attack and apologized to users
MacUpdate has acknowledged that malicious attackers have compromised the website and offered instructions on how to remove the malicious malware, in addition to an apology.
“If you have installed-and-run Firefox 58.0.2, OnyX, or Deeper since 1 February 2018, please accept our apologies, but you will need to follow these steps to remove a bitcoin miner which hacked versions of those apps have installed. This not the fault of the respective developers, so please do not blame them. The fault is entirely mine for having been fooled by the hackers,” a site editor wrote.
They also include instructions on how to remove the miner:
Delete any copies of the above titles [Firefox 58.0.2, OnyX, Deeper] you might have installed.
- Download and install fresh copies of the titles.
- In Finder, open a window for your home directory (Cmd-Shift-H).
- If the Library folder is not displayed, hold down the Option/Alt key, click on the “Go” menu, and select “Library (Cmd-Shift-L)”.
- Scroll down to find the “mdworker” folder (~/Library/mdworker/).
- Delete the entire folder.
- Scroll down to find the “LaunchAgents” folder (~/Library/LaunchAgents/).
- From that folder, delete “MacOS.plist” and “MacOSupdate.plist” (~/Library/LaunchAgents/MacOS.plist and ~/Library/LaunchAgents/MacOSupdate.plist).
- Empty the Trash.
- Restart your system.
WiperSoft.com is not sponsored, affiliated, linked to or owned by malware developers or distributors that are referred to in this article. The article does NOT endorse or promote malicious programs. The intention behind it is to present useful information that will help users to detect and eliminate malware from their computer by using WiperSoft and/or the manual removal guide.
The article should only be used for educational purposes. If you follow the instructions provided in the article, you agree to be bound by this disclaimer. We do not guarantee that the article will aid you in completely removing the malware from your PC. Malicious programs are constantly developing, which is why it is not always easy or possible to clean the computer by using only the manual removal guide.