Criminals Are Now Dropping Cryptomining Malware on Macs Through Download Sites
MacUpdate, a popular software download site, has been spotted delivering a Mac cryptominer to users. Security researcher Arnaud Abbati of SentinelOne reported that this new cryptocurrency miner is designed to sit in the background and use your computer’s CPU to mine Monero. Dubbing it as OSX.CreativeUpdate, the miner was being distributed through maliciously modified versions of popular applications.
The problem was first spotted on Friday, a day after malicious versions of Firefox, Deeper, and Onyx were downloaded by users through MacUpdate. The malware was distributed through the hack of the site itself. Instead of linking to apps' official websites, the download links were linked to fake domains that looked similar to their legitimate counterparts.
Users won't detect if they have downloaded malicious apps delivering cryptomining Mac malware
The application keeps a decoy app open, tricking users into thinking that they haven't downloaded anything wrong. Researchers at Malwarebytes Labs noted that in cases where "the malware is not installed, it will download the malware and unzip it into the user’s Library folder, which is hidden in macOS by default, so most users wouldn’t even know anything had been added there."
We are in the process of checking that we have caught any and all fraudulent submissions. We have posted in the comments of each suspected app. See listings for Firefox, Onyx and Deeper.
— Bryan Boettcher (@BryanatMU) February 2, 2018
To its credit, MacUpdate was quick to acknowledge the issue and said that the problem first happened on February 1. The company also shared the following steps to remove cryptocurrency miner that may have been downloaded through malicious copies of legitimate apps.
- Delete any copies of the above titles [Firefox, Onyx, Deeper] you might have installed.
- Download and install fresh copies of the titles.
- In Finder, open a window for your home directory (Cmd-Shift-H).
- If the Library folder is not displayed, hold down the Option/Alt key, click on the "Go" menu, and select "Library (Cmd-Shift-L)".
- Scroll down to find the "mdworker" folder (~/Library/mdworker/).
- Delete the entire folder.
- Scroll down to find the "LaunchAgents" folder (~/Library/LaunchAgents/).
- From that folder, delete "MacOS.plist" and "MacOSupdate.plist" (~/Library/LaunchAgents/MacOS.plist and ~/Library/LaunchAgents/MacOSupdate.plist).
- Empty the Trash.
- Restart your system.
The site acknowledged that attackers had "hacked versions of those apps," which is not a fault of the app developers, but the site's fault. "Again, I apologize to you, our users, and to you, our developers for this violation," they wrote. "It's unfortunate that this type of hack has come to the Mac platform, but we are now more aware, and promise to be more diligent in protecting all of you in future."
While Windows may be at the center of most of the cryptomining activity, other platforms aren't safe from these attacks, as well. Whether you are downloading apps from official channels or through third party sites (absolutely not recommended), it would be wise to be cautious of what ends up on your machines. In case of miners, this could be done by monitoring system resources to see if a recent installation has resulted in significant drains.