Hackers have infiltrated the popular software download website MacUpdate to deliver cryptocurrency miners to unsuspecting Mac users. Security researcher Arnaud Abbati of SentinelOne first spotted the cryptominer dubbed OSX.CreativeUpdate that is designed to hijack a computer's CPU to secretly mine Monero coins.

According to Malwarebytes researchers, the malware was distributed via MacUpdate after cybercriminals managed to infiltrate the site and install maliciously modified copies of the Firefox, OnyX and Deeper applications that were actually cryptocurrency miners.

The threat actors replaced the download links for each modified app with links that redirected users to malicious domains rather than the apps' official websites. These fake domains also featured slightly altered URLs to appear legitimate and convincing to users.

"Both OnyX and Deeper are products made by Titanium Software (titanium-software.fr), but the site was changed maliciously to point to download URLs at titaniumsoftware.org, a domain first registered on January 23, and whose ownership is obscured," Malwarebytes' Thomas Reed wrote in a blog post.

Meanwhile, the fake Firefox app was distributed from "download-installer.cdn-mozilla.net," rather than the legitimate "mozilla.net".

"In each case, the user is asked to drag the app into the Applications folder, as would the original, non-malicious .dmg files for those apps," Reed added. "The applications themselves were, as Abbati indicated in his tweet, created by Platypus, a developer tool that makes full macOS applications from a variety of scripts, such as shell or Python scripts. This means the creation of these applications had a low bar for entry."

The malware itself is bundled with decoy copies of the legitimate app to prevent users from getting suspicious. Once downloaded and installed, it installs a payload from the legitimate website public.adobecc.com, attempts to open a copy of the original app as a decoy and triggers the malware to activate.

However, this process isn't always successful.

"For example, the malicious OnyX app will run on Mac OS X 10.7 and up, but the decoy OnyX app requires macOS 10.13. This means that on any system between 10.7 and 10.12, the malware will run, but the decoy app won't open to cover up the fact that something malicious is going on," Reed noted. "In the case of the Deeper app, the hackers got even sloppier, including an OnyX app instead of a Deeper app as the decoy by mistake, making it fail similarly but for a more laughable reason."

MacUpdate has already acknowledged and apologised for the links that were up between 1 February and 2 February.

"If you have installed and run Firefox 58.0.2, OnyX or Deeper since 1 February 2018, please accept my apologies, but you will need to follow these steps to remove a bitcoin miner which hacked versions of those apps installed," one of the site's editors wrote in the comments of the apps affected. "This is not the fault of the respective developers, so please do not believe them. The fault is entirely mine for having been fooled by the hackers."

The site has also offered instructions on how to remove the malicious malware as well:

  • Delete any copies of the above titles [Firefox, Onyx, Deeper] you might have installed.
  • Download and install fresh copies of the titles.
  • In Finder, open a window for your home directory (Cmd-Shift-H).
  • If the Library folder is not displayed, hold down the Option/Alt key, click on the "Go" menu, and select "Library (Cmd-Shift-L)".
  • Scroll down to find the "mdworker" folder (~/Library/mdworker/).
  • Delete the entire folder.
  • Scroll down to find the "LaunchAgents" folder (~/Library/LaunchAgents/).
  • From that folder, delete "MacOS.plist" and "MacOSupdate.plist" (~/Library/LaunchAgents/MacOS.plist and ~/Library/LaunchAgents/MacOSupdate.plist).
  • Empty the Trash.
  • Restart your system.

"Again, I apologize to you, our users, and to you, our developers for this violation," the editor continued. "It's unfortunate that this type of hack has come to the Mac platform, but we are now more aware and promise to be more diligent in protecting all of you in future."

The hack comes as opportunistic hackers increasingly look to exploit popular websites to deploy cryptocurrency miners, particularly towards Windows users.

Reed has advised users to download apps directly from the developer's site rather than an aggregator or Mac App Store.

"These are not guarantees, and can still get you infected with malware, adware, or scam software. But your odds are better," he noted. "Be sure to check around to make sure the software is legitimate before downloading, but do not give full credence to ratings or reviews on third-party sites or the Mac App Store, as those can be faked."

This isn't the first Mac malware spotted in the wild this year. So far, OSX MaMi and OSX CrossRAT have also been observed targeting Mac users.

"Be aware that the old adage that 'Macs don't get viruses,' which has never been true, is proven to be increasingly false," Reed added. "Do not let yourself believe that Macs don't get infected, as that will make you more vulnerable."