Aggregator MacUpdate delivered malware––crypto currency miner––instead of Apps

sc
scshrugged
Posts: 316
Joined: Wed Feb 10, 2016 6:55 pm
Platform: Mac + iOS

Sun Feb 04, 2018 3:23 pm Post

(My post's intent is to inform. It's not an endorsement for any of the detection/removal tools mentioned in the referenced blog posts.)

Although I don't use them, I've seen this aggregation service mentioned a couple of times at the L&L forum. If you're in the habit of using MacUpdate or other aggregation service:
Did you download and install any Mac software from the MacUpdate site on the first or second of February? If so – and particularly if the app was Firefox 58.0.2, OnyX, or Deeper – you may well have installed a malicious cryptocurrency miner, which has been dubbed OSX.CreativeUpdate.......Although it is thought to be confined to Firefox 58.0.2, OnyX, and Deeper downloaded from MacUpdate on 1st and 2nd February 2018, on further investigation it may be that it affects other apps downloaded from MacUpdate, possibly even from other download aggregation services....

https://eclecticlight.co/2018/02/03/new ... date-site/
Included in the above blog post is a link to an analysis by Thomas Reed of Malwarebytes and a link to a followup post.



MacUpdate, whose response has been inadequate (that's being generous), has advised to uninstall the malware laden downloads and manually delete certain files:

Jess-MacUpdate Member
Jess-MacUpdate EDITOR Feb 02, 2018

2francinou, you are absolutely right: the listing for OnyX *had* been compromised, just as had this listing for Firefox. Even my own system had been infected. I might not have realized it without your comment.

If you have installed-and-run Firefox 58.0.2, OnyX, or Deeper since 1 February 2018, please accept our apologies, but you will need to follow these steps to remove a bitcoin miner which hacked versions of those apps have installed. This not the fault of the respective developers, so please do not blame them. The fault is entirely mine for having been fooled by the hackers.
• Delete any copies of the above titles you might have installed.
• Download and install fresh copies of the titles.
• In Finder, open a window for your home directory (Cmd-Shift-H).
• If the Library folder is not displayed, hold down the Option/Alt key, click on the "Go" menu, and select "Library (Cmd-Shift-L)".
• Scroll down to find the "mdworker" folder (~/Library/mdworker/).
• Delete the entire folder.
• Scroll down to find the "LaunchAgents" folder (~/Library/LaunchAgents/).
• From that folder, delete "MacOS.plist" and "MacOSupdate.plist" (~/Library/LaunchAgents/MacOS.plist and ~/Library/LaunchAgents/MacOSupdate.plist).
• Empty the Trash.
• Restart your system.
Again, I apologize to you, our users, and to you, our developers for this violation. It's unfortunate that this type of hack has come to the Mac platform, but we are now more aware, and promise to be more diligent in protecting all of you in future.

https://www.macupdate.com/app/mac/10700/firefox
Scrivener user not affiliated with L&L.

User avatar
kewms
Posts: 3923
Joined: Fri Feb 02, 2007 5:22 pm
Platform: Mac

Sun Feb 04, 2018 4:48 pm Post

Yikes!

Note that OnyX in particular is frequently recommended in this forum.

Katherine
Scrivener Support Team

User avatar
xiamenese
Posts: 3627
Joined: Mon Jan 29, 2007 1:32 am
Platform: Mac
Location: London or Exeter, UK.

Sun Feb 04, 2018 5:33 pm Post

I used to download from MacUpdate, but a couple of years ago, an update I'd downloaded from them was immediately quarantined by ClamXAV as carrying malware. Since then, I go to the MacUpdate website every Saturday to check for updates listed for any of my software, but I then go to the developer's website and download from there.

Mark
The Scrivenato sometimes known as Mr X.
rMBP 13" (early 2015) 10.13.3, 8GB RAM, 512GB SSID
MBP17" (late 2011) 10.13, 8GB RAM, 512GB SSID
iPad Air 2, iOS 11, 64GB
Scrivener, Scapple, Nisus Writer Pro, Bookends …