MacBook
Popular Mac app platform MacUpdate was hacked and used to distribute cryptocurrency miners. 377053/Pixabay

MacUpdate, a popular platform that hosts and aggregates software and applications for MacOS, was hacked and used to distribute a cryptocurrency miner onto the machines of unsuspecting users.

Security researchers at SentinelOne and Malwarebytes discovered that the platform was spreading the cryptocurrency miner starting on Feb. 1. The issue was resolved by Feb. 2, but users who downloaded software from the site during the window while the miner was active are still at risk.

According to researchers, hackers managed to infiltrate the MacUpdate website and use their access to upload modified versions of popular Mac apps. Compromised apps included free maintenance and optimization tool OnyX, web browser Firefox and personalization utility Deeper—all of which are widely used Mac apps.

The attackers replaced the legitimate download links for the applications with links to modified apps that led users to malicious domains that hosted compromised installers that contained cryptomining tools.

Two of the applications—OnyX and Deeper—are developed by Titanium Software and are hosted on the company’s website, titanium-software.fr. After compromising the site, the hackers redirected users to the domain titaniumsoftware.org—a fake site first registered just two weeks ago.

Meanwhile, the fake Firefox app was being distributed through domain “cdn-mozilla.net” instead of Mozilla.net, which is the official host of the Firefox browser that is developed by Mozilla. The domain cdn-mozilla.net was first registered just one day before the attack took place.

When a user downloaded one of the laced versions of the app, the download would occur like it normally would. A menu would appear and ask the user to store the app in the Applications folder. Once completed, a payload containing the cryptominer is installed and activated

Decoy versions of the applications launch to cover the activity of the cryptominer and to make it appear as though the download is legitimate—though that isn’t true on every version of MacOS. According to Thomas Reed from Malwarebytes, the decoy app for OnyX only launches on macOS 10.13. For Deeper, the hackers sloppily included a decoy version of OnyX instead of the Deeper app.

MacUpdate quickly addressed the issue upon learning of the breach and the redirect scheme that caused users to download malicious versions of Mac apps. In a statement, the company told users:

“If you have installed and run Firefox 58.0.2, OnyX or Deeper since 1 February 2018, please accept my apologies, but you will need to follow these steps to remove a Bitcoin miner which hacked versions of those apps installed. This is not the fault of the respective developers, so please do not believe them. The fault is entirely mine for having been fooled by the hackers.”

How To Remove Cryptomining Software

For users of MacUpdate who fell victim to the hacker’s scheme, it is possible to remove the malicious cryptomining software from the infected machine. To do so, users need to delete all files associated with the compromised app.

To do so, follow these steps:

  • Open Finder

  • Access the Home directory by hitting the keys Command-Shift-H

  • Find the Folder “mdworker” and delete it.

  • Find the LaunchAgents folder and delete MacOS.plist (located at ~/Library/LaunchAgents/MacOS.plist) and MacOSupdate.plist (located at ~/Library/LaunchAgents/MacOSupdate.plist)

  • Go to the Trash, hit “Empty”

  • Restart the computer.