Another day, another cryptocurrency miner targeting users – This time, MacUpdate site has been hacked to drop cryptocurrency miner on Mac devices.
MacUpdate, a well-known software download, and aggregator platform, has become a victim of a hack attack and the service is now distributing cryptocurrency miners to Mac users, revealed SentinelOne’s security researcher Arnaud Abbati.
Dubbed CreativeUpdate trojan/miner, by Abbati, the malware is a dropper of the open source developer tool Platypus that downloads a miner from Adobe Creative Cloud servers – Whoever has downloaded links from February 1 to February 2, 2018, is currently at risk.
Cybercriminals apparently infiltrated the MacUpdate website to distribute the malware. They installed modified copies of the cryptomining apps OnyX, Firefox and Deeper and replaced the download links for each of these modified apps with links that led users to malicious domains. According to Thomas Reed from Malwarebytes, the fake domains show URLs that were already modified but looked legit and convincing to users.
OnyX and Deeper are developed by Titanium Software, which can be accessed at titanium-software.fr, but the link has been maliciously altered as titaniumsoftware.org to redirect users to download URLs from this unauthentic address. This new domain was registered on 23rd January but its owner is remained obscured. Conversely, the unauthentic Firefox app is being distributed through fake URL download-installer.cdn-mozilla.net instead of Mozilla.net.
What happens is that the user is requested to store the app into the Applications folder, which is a common requirement even with the original apps. The applications have been created by Platypus, a developer tool that produces full macOS apps from various scripts like Python or Shell scripts.
MacUpdate trojan/miner is a Platypus dropper downloading a miner from Adobe Creative Cloud servers.https://t.co/62nT9WyBJy https://t.co/lK1GapwFoH https://t.co/l812l8ZWrk https://t.co/1mrYBrpem2https://t.co/sm3J5TIlin
— noar (@noarfromspace) February 2, 2018
“This means the creation of these applications had a low bar for entry,” noted Abbati.
Decoy copies of the authentic app are also present in the malware so that users don’t get suspicious. When the fake apps are installed, a payload is installed from the legitimate URL public.adobecc.com, which opens a copy of the original app and activates the malware.
The success rate of this method isn’t hundred percent always. As Reed noted:
“For example, the malicious OnyX app will run on Mac OS X 10.7 and up, but the decoy OnyX app requires macOS 10.13. This means that on any system between 10.7 and 10.12, the malware will run, but the decoy app won’t open to cover up the fact that something malicious is going on. In the case of the Deeper app, the hackers got even sloppier, including an OnyX app instead of a Deeper app as the decoy by mistake, making it fail similarly but for a more laughable reason.”
When MacUpdate learned about the issue, it immediately apologized and a statement as issued by the site’s editor apart from offering instructions on removing the malware:
“If you have installed and run Firefox 58.0.2, OnyX or Deeper since 1 February 2018, please accept my apologies, but you will need to follow these steps to remove a Bitcoin miner which hacked versions of those apps installed. This is not the fault of the respective developers, so please do not believe them. The fault is entirely mine for having been fooled by the hackers.”
To remove the malware, users need to delete all the copies that are titled Firefox, Deeper and/or OnyX and download/install fresh copies. Access your home directory in Finder via Cmd-Shift-H, if the folder is not displayed press the Option/Alt key and click on Go menu where you must select Library (Cmd-Shift-L). Now, scroll down to find the folder mdworker and delete this folder. Access LaunchAgents folder via ~/Library/LaunchAgents/ and delete MacOS.plist (~/Library/LaunchAgents/MacOS.plist) and MacOSupdate.plist (~/Library/LaunchAgents/MacOSupdate.plist). Finally, clean the Trash folder and restart the computer.
Furthermore, Reed recommends that users must directly download apps from the developer’s official website instead of the Mac App Store as there is no guarantee if the app would be authentic or not. Reed stated that there is always a possibility that your device will be infected with scams, malware or adware. Therefore, it is important to ensure that the software is authentic.
“Be aware that the old adage that ‘Macs don’t get viruses,’ which has never been true, is proven to be increasingly false. Do not let yourself believe that Macs don’t get infected, as that will make you more vulnerable,” writes Reed.
Image credit: DepositPhotos/Monsit