New cryptominer spreads via MacUpdate hack

MacUpdate trojan downloads a crypto miner from Adobe Creative Cloud servers

Security researcher Arnaud Abbati has reported about a new Monero miner^[1] which enters the system via MacUpdate hack. Experts named the infection as OSX.CreativeUpdate which is designed to download the cryptocurrency miner from Adobe Creative Cloud servers.

Mac Monero miner was distributed on the official MacUpdate website. The site was unconsciously offering modified versions of Deeper, OnyX, and Firefox programs with maliciously customized scripts. According to the statement made on the page, this security breach happened at the beginning of February 2018.

Mac crypto miner hides inside the victimized system and stealthily operates in the background. While people might not notice at first, this cyber threat exploits computing power to mine Monero cryptocurrency^[2]. Unfortunately, high CPU usage leads to significant deterioration of overall computer performance^[3].

Hackers led users to suspicious domains by changing site's URLs

A. Abbati says that criminals maliciously modified MacUpdate website to point the users to less than reliable download URLs. The official page for both, OnyX and Deeper software is Titanium-software.fr. However, crooks led their victims to Titaniumsoftware.org which is definitely not a trustworthy site^[4]:

Both OnyX and Deeper are products made by Titanium Software (titanium-software.fr), but the site was changed maliciously to point to download URLs at titaniumsoftware.org, a domain first registered on January 23, and whose ownership is obscured.

Another software, which was also used to deliver Mac cryptominer is a fake Firefox program. Criminals used deceptive techniques just like in any other phishing attack — they pointed the users to Download-installer.cdn-mozilla.net site which seems like a legitimate Mozilla.net website due to the similarities of the domain's end.

The files of OSX.CreativeUpdate virus has .dmg extension which helps the criminals to avoid raising any suspicions. Since the user is asked to drop the program into the Applications folder just like any other legitimate software, it seems pretty convincing.

The malware has several flaws

Despite the fact that the Mac crypto-mining malware seems to be well-designed and successful in deceiving the users, it has several limitations which allow denouncing its malicious actions. Since the application uses the decoy app (the copy of the original application for deceptive purposes), it requires macOS 10.13.

Even though the malicious version of the app runs on Mac OS X 10.7 and later, the decoy application won't open and fail to cover up its suspicious activity. Likewise, people can quickly identify that their computers might be at risk:

The malicious OnyX app will run on Mac OS X 10.7 and up, but the decoy OnyX app requires macOS 10.13. This means that on any system between 10.7 and 10.12, the malware will run, but the decoy app won’t open to cover up the fact that something malicious is going on.

Experts advise the users always to use professional antivirus tools which offer real-time protection^[5]. This way you will be notified about the bogus programs before installing them on your computer. Also, it is essential to keep the security software up-to-date to make sure that it will upgrade its database with new cyber threats regularly.