A cybercriminal managed to infiltrate the Mac app download site MacUpdate and install maliciously copies of the Firefox, OnyX, and Deeper applications that were in fact cryptocurrency miners.
This activity came to light on February 1 when SentinelOne issued a tweet warning readers of the miner, Malwarbytes' researcher Thomas Reed blogged. The malware, named OSX.CreativeUpdate, is a new miner that bides its time in the background sucking up computer resources to mine Monero.
MacUpdate issues an apology and instructions on how to remove the malware in the comments of each app affected.
With each altered app the threat actors redirected those clicking on the links to a malicious website that sported slightly altered URLs to help obfuscate the action.
“Both OnyX and Deeper are products made by Titanium Software (titanium-software.fr), but the site was changed maliciously to point to download URLs at titaniumsoftware.org, a domain first registered on January 23, and whose ownership is obscured. The fake Firefox app was distributed from download-installer.cdn-mozilla.net,” Reed said.
The injection takes place when the end user is asked to drag the app into the computer's applications folder. What is being moved, however, is a .dmg (disk image file) containing the malware. Once the malware is moved to the new folder it will install a payload from the legitimate site public.adobecc.com as a decoy measure. This activity, in turn, signals the malware to activate.
Reed noted a few issues with the malware that sometimes cause it to fail.
“For example, the malicious OnyX app will run on Mac OS X 10.7 and up, but the decoy OnyX app requires macOS 10.13. This means that on any system between 10.7 and 10.12, the malware will run, but the decoy app won't open to cover up the fact that something malicious is going on,” he said.
Luckily this malware can be removed, but Reed also suggested end users only download apps directly from the developer's site, not from an aggregator, or from Apple. And since malware also tends to act somewhat funky he said one warning sign that something may be amiss with some new software is if the downloaded app either does not function as advertised or does nothing at all. If this happens removing it is a good idea.
Finally, Reed tried to put the idea that Macs don't get malware to bed.
“Finally, be aware that the old adage that “Macs don't get viruses,” which has never been true, is proven to be increasingly false. This is the third piece of Mac malware so far this year, following OSX.MaMi and OSX.CrossRAT,” he said.