Software download site/aggregator MacUpdate has been spotted delivering a new Mac crypto miner to users.
— Thomas Reed (@thomasareed) February 2, 2018
A rare threat
Stealthy cryptocurrency miners are most often aimed at Windows and browser users (e.g., the Coinhive script), but no one is safe: neither Linux users, nor Mac users, even though cryptocurrency-mining malware targeting Mac machines is a relatively rare occurrence.
The first instance of such a malware was spotted back in 2011, when the DevilRobber Trojan was found to have – among other things – the ability to use CPU and GPU time on infected Macs to perform Bitcoin mining.
CreativeUpdate, as this latest crypto miner has been dubbed, is just the latest attempt to hit up Mac users, many of whom are lulled into a false sense of security fueled by the relatively low number of Mac-specific malware out there.
As noted by security researcher Arnaud Abbati of SentinelOne, the CreativeUpdate trojan/miner “is a Platypus dropper downloading a miner from Adobe Creative Cloud servers.” (Platypus is an open source developer tool that makes macOS applications from a variety of scripts.)
The malware has been bundled with decoy copies of Firefox, OnyX, and Deeper and tries to open them before starting itself so that users don’t get suspicious. But, it’s not always successful.
“For example, the malicious OnyX app will run on Mac OS X 10.7 and up, but the decoy OnyX app requires macOS 10.13. This means that on any system between 10.7 and 10.12, the malware will run, but the decoy app won’t open to cover up the fact that something malicious is going on,” Malwarebytes researcher Thomas Reed noted.
“In the case of the Deeper app, the hackers got even sloppier, including an OnyX app instead of a Deeper app as the decoy by mistake, making it fail similarly but for a more laughable reason.”
How did the malware end up on the MacUpdate site?
Technically, it didn’t. One of the site’s editors explained that he had been fooled by attackers to post links to the malicious bundles, and offered instructions on how to remove the malware:
The links were up from February 1 to February 2, 2018, so users who have downloaded those apps during that time will want to check whether their machines have been infected. For now it seems that other apps were not affected.
Also, in an interesting turn of events, it seems that other download sites made the same mistake:
According to my RSS feed Macupdate posted the Firefox 58.0.2 link at 8:13 AM
Softpedia a link to the same at 9:48 AM since removedhttps://t.co/GVHArrRnK7 Still has a link posted to this file at https://t.co/QWQAw011uZ
Fortunately https://t.co/JnHwHOmrnM seems to be down
— Mark Woods (@mwoods9) February 4, 2018
But whether they’ve also been tricked into publishing the malicious links or they merely copied them from the MacUpdate site is unknown. And, unfortunately, none of these sites show warnings for potentially affected users.
“The only mention you will see at MacUpdate is in comments added to the three downloads which are known to have been affected,” notes Howard Oakley.
“What is most shocking in this case is MacUpdate’s almost secretive approach to its error. It demonstrates that MacUpdate’s processes for verifying the integrity of the products which it distributes are broken, and that it fails to draw customers’ attention to such a major security failure. If you use MacUpdate or any other download aggregation service to obtain software or updates, you will want to review that practice,” he added.
In general, it is a good idea to download software directly from the developer’s site or the Mac App Store.