MacUpdate served up Mac cryptominer to unsuspecting users in Firefox, OnyX, and Deeper dow...

Posted:
in macOS
Download aggregator MacUpdate briefly linked to three malicious applications masquerading as legitimate downloads for Firefox, OnyX, and Deeper, that not only install the apps, but also deposit a cryptocurrency miner on downloader's systems.




At some point on Feb. 1, MacUpdate updated legitimate download links to bogus installers for the three apps. According to Malwarebytes Labs, OnyX and Deeper by Titanium Software links were replaced by a very similar URL to the download, and Firefox downloads were redirected to an URL that was obviously not mozilla.net.

The payload was delivered as a .dmg file, but the installers were scripts that download and install the payload, plus retrieved a legitimate copy of the app in question to convince the user that the app installed properly. This particular hack was not well executed, with the OnyX app retrieved in the place of the Deeper app, and vice versa.

The installed malware was mining the Monero cryptocurrency, passing a protonmail user to a login authority.

The applications hosted by Titanium Software themselves, and Mozilla's native download of Firefox are uninfected.




This is not the first time that MacUpdate has hosted malware in downloads. The company itself was installing its own adware to non-subscribers computers for a few months in 2015. A second event in 2016 found fake application EasyDoc Converter distributing the OSX Eleanor ransomware for a period of time.

AppleInsider suggests that users either download applications from the developer's site directly, or from the Mac App Store. As a general rule, avoiding download aggregators that link directly to downloads outside the Mac App Store is a good security practice.
magman1979

Comments

  • Reply 1 of 14
    I downloaded OnyX from Titanium’s website. Am I affected?
    magman1979
  • Reply 2 of 14
    SoliSoli Posts: 6,134member
    I downloaded OnyX from Titanium’s website. Am I affected?
    No, but you may want to just check the files and folders mentioned, to be sure.
    racerhomie3
  • Reply 3 of 14
    I actually tried mining Monero on my '17 MBP, and it suuuucks lol.  Whoever wrote that virus wasted a lot of time.  Ran it for 3 days straight and the hash rate wasn't high enough to earn anything.  Maybe it works a bit better on iMacs 
    libertyforall
  • Reply 4 of 14
    chasmchasm Posts: 371member
    A pity this happened, but I’m glad the site took full responsibility and issued removal instructions. That’s how you handle something like this, and being more vigilant going forward.
    coolfactor
  • Reply 5 of 14
    SoliSoli Posts: 6,134member
    I actually tried mining Monero on my '17 MBP, and it suuuucks lol.  Whoever wrote that virus wasted a lot of time.  Ran it for 3 days straight and the hash rate wasn't high enough to earn anything.  Maybe it works a bit better on iMacs 
    Mining works better for GPUs. I know a PC gamer who invested $1500* alone in his GPU and he was able to play with mining cryptocurrencies (mostly garlicoin which he converted to bitcoin) to get a better understanding of it, and he's created a paper wallet that's still worth more (adjusting for the recent drops) than his entire PC. My 1.5¢ and hour on my Late-2017 MBP with the fastest CPU and GPU wasn't worth it.


    * The investment was for gaming, not for cryptocurrency mining.
    edited February 7
  • Reply 6 of 14
    cgWerkscgWerks Posts: 806member
    I actually tried mining Monero on my '17 MBP, and it suuuucks lol.  Whoever wrote that virus wasted a lot of time.  Ran it for 3 days straight and the hash rate wasn't high enough to earn anything.  Maybe it works a bit better on iMacs 
    True, though if you could get thousands of machines all working for you for free...
  • Reply 7 of 14
    And people think blockchain will replace the Bank of America due to the "distributed trust built into the system"? Puh! More trust in photocopied banknotes!
  • Reply 8 of 14
    fearless said:
    More trust in photocopied banknotes!
    Which is all the pieces of cloth from the federal reserve are, but hey.
  • Reply 9 of 14
    ednlednl Posts: 6member
    MacUpdate had a good run but it definitely ended when he sold out in 2015. To be fair, that's probably the only thing he sold; hard to earn money from a free download index site.
  • Reply 10 of 14
    maestro64maestro64 Posts: 3,889member
    I stop a long time ago using MacUpdate, when I had similar problem of ad plugins getting installed into safari when I installed another piece of software. It took me a while to figure out what happen and where the plugins came from. Finally traced it back to MacUpdate. I use to use out all the time to make sure I always had the latest versions, but stop using that site when I had issues. That was probably 10 years ago, so this problem is not new.
  • Reply 11 of 14
    SoliSoli Posts: 6,134member
    I'm thankful that "walled gardens" and App Stores exist.
    edited February 8
  • Reply 12 of 14
    old-wizold-wiz Posts: 189member
    I didn't realize that MacUpdate also distributed this crap.  I've tried using the site in the passed and stopped using it after getting a bunch of junk added to a legit download.
  • Reply 13 of 14
    macxpressmacxpress Posts: 3,858member
    I don't know why anyone would use this site anyways. Just go to the source and get it.
  • Reply 14 of 14
    maestro64 said:
    I stop a long time ago using MacUpdate, when I had similar problem of ad plugins getting installed into safari when I installed another piece of software. It took me a while to figure out what happen and where the plugins came from. Finally traced it back to MacUpdate. I use to use out all the time to make sure I always had the latest versions, but stop using that site when I had issues. That was probably 10 years ago, so this problem is not new.
    Yea, that happened to me a while back too, which is where I swore not to use any of these kind of services anymore. (Even though I usually didn't, but this utility only seemed available from them... which should have been my first clue, I guess.) But, it changed the defaults on all my browsers and auto-pointed them to Yahoo or something like that. It took a good bit of effort to put everything back in order.

    Soli said:
    I'm thankful that "walled gardens" and App Stores exist.
    Me, too, as things in the wild wild internet have gotten worse, for sure. That said, just because it's in the App Store doesn't mean it's safe either. It just helps quite a bit.
Sign In or Register to comment.