Security Experts:

Connect with us

Hi, what are you looking for?


Email Security

MacUpdate Distributes Mac Crypto-Mining Malware

Maliciously modified versions of popular applications distributed via the MacUpdate site were observed installing crypto-mining malware on Mac computers, Malwarebytes reports.

Maliciously modified versions of popular applications distributed via the MacUpdate site were observed installing crypto-mining malware on Mac computers, Malwarebytes reports.

The issue was observed on Friday, one day after maliciously modified versions of Firefox, OnyX, and Deeper applications started being distributed via the website. MacUpdate was quick to acknowledge the issue, and revealed in a comment that it was their fault and that the legitimate apps weren’t compromised.

What led to this situation is pretty straightforward: instead of linking to the applications’ official download websites, MacUpdate ended up linking to fake domains that resembled the legitimate ones.

Thus, instead of, it listed (registered on January 23) for the download URLs of OnyX and Deeper (both products made by Titanium Software). The download link for Firefox was even more crafty, using the domain, instead of

For all three applications, however, users ended up downloading disk image files (.dmg) that looked pretty convincing, Malwarebytes says. They also asked the user to drag the file into the Applications folder, just as the legitimate apps would.

The fake applications were created by Platypus, a developer tool used to build macOS software from scripts such as shell or Python.

Once installed, the fake apps download and install a payload from (a legitimate site owned by Adobe), after which it attempts to open a copy of the legitimate app as decoy. This operation, however, isn’t always successful, due to various errors the actor behind the fake apps made.

The security researchers discovered that the malicious OnyX app would run on Mac OS X 10.7 and up, but the decoy app requires macOS 10.13 and up, which means that only the malware is executed on systems with previous platform versions.

When it comes to the fake Deeper app, things are similar, but the reason is laughable. The actor included an OnyX app instead of Deeper as decoy, which clearly results the decoy not executing to cover the malicious behavior.

Upon execution, a script in the fake app checks whether it already runs and, if not, it downloads the malware and unzips it into the Library folder, which is hidden by default. A malicious launch agent file named MacOSupdate.plist is installed, designed to recurrently run another script.

The launch agent downloads a new MacOS.plist file and installs it, but first removes the previous MacOS.plist file, supposedly to update it. The downloaded MacOS.plist file was observed loading a malicious sysmdworker process and passing in arguments, including an email address.

“That sysmdworker process will then do the work of mining the Monero cryptocurrency, using a command-line tool called minergate-cli, and periodically connecting to, passing in the above email address as the login,” Malwarebytes explains.

To stay protected from this and similar threats, users are advised to always download applications from the legitimate websites only, such as the developer’s site or the Mac App Store.

As Malwarebytes points out, this is not the first time MacUpdate has been abused for malicious purposes. A couple of years ago, it fell to a similar hack and ended up distributing the OSX.Eleanor malware.

Related: ‘MaMi’ Mac Malware Hijacks DNS Settings

Related: Mac Malware Creator Indicted in U.S.

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.