Maliciously modified versions of popular applications distributed via the MacUpdate site were observed installing crypto-mining malware on Mac computers, Malwarebytes reports.
The issue was observed on Friday, one day after maliciously modified versions of Firefox, OnyX, and Deeper applications started being distributed via the website. MacUpdate was quick to acknowledge the issue, and revealed in a comment that it was their fault and that the legitimate apps weren’t compromised.
What led to this situation is pretty straightforward: instead of linking to the applications’ official download websites, MacUpdate ended up linking to fake domains that resembled the legitimate ones.
Thus, instead of titanium-software.fr, it listed titaniumsoftware.org (registered on January 23) for the download URLs of OnyX and Deeper (both products made by Titanium Software). The download link for Firefox was even more crafty, using the domain download-installer.cdn-mozilla.net, instead of mozilla.net.
For all three applications, however, users ended up downloading disk image files (.dmg) that looked pretty convincing, Malwarebytes says. They also asked the user to drag the file into the Applications folder, just as the legitimate apps would.
The fake applications were created by Platypus, a developer tool used to build macOS software from scripts such as shell or Python.
Once installed, the fake apps download and install a payload from public.adobecc.com (a legitimate site owned by Adobe), after which it attempts to open a copy of the legitimate app as decoy. This operation, however, isn’t always successful, due to various errors the actor behind the fake apps made.
The security researchers discovered that the malicious OnyX app would run on Mac OS X 10.7 and up, but the decoy app requires macOS 10.13 and up, which means that only the malware is executed on systems with previous platform versions.
When it comes to the fake Deeper app, things are similar, but the reason is laughable. The actor included an OnyX app instead of Deeper as decoy, which clearly results the decoy not executing to cover the malicious behavior.
Upon execution, a script in the fake app checks whether it already runs and, if not, it downloads the malware and unzips it into the Library folder, which is hidden by default. A malicious launch agent file named MacOSupdate.plist is installed, designed to recurrently run another script.
The launch agent downloads a new MacOS.plist file and installs it, but first removes the previous MacOS.plist file, supposedly to update it. The downloaded MacOS.plist file was observed loading a malicious sysmdworker process and passing in arguments, including an email address.
“That sysmdworker process will then do the work of mining the Monero cryptocurrency, using a command-line tool called minergate-cli, and periodically connecting to minergate.com, passing in the above email address as the login,” Malwarebytes explains.
To stay protected from this and similar threats, users are advised to always download applications from the legitimate websites only, such as the developer’s site or the Mac App Store.
As Malwarebytes points out, this is not the first time MacUpdate has been abused for malicious purposes. A couple of years ago, it fell to a similar hack and ended up distributing the OSX.Eleanor malware.
Related: Mac Malware Creator Indicted in U.S.