SecureMac, Inc.

Computer security news. Just for Macs.

Get the latest computer security news for Macs and be the first to be informed about critical updates. Industry news, security events and all you need right at your fingertips. Malware threats change daily, so keep up to date on the latest developments to help ensure your privacy and protection. You can never be too safe.

Popular MacUpdate Website Hacked to Distribute Crypto Miner

Posted on February 12, 2018

Keeping the software on your Mac up to date is essential, particularly because it can help to keep you safe from new threats and vulnerabilities. We’ve seen the emergence of a new type of malware that’s hitting Mac users through a service used to streamline the updating process, MacUpdate. A popular site for many years, MacUpdate acts like a “one stop shop” for software updates, allowing users to grab updated copies of their favorite software quickly. Unfortunately, it looks like several apps on the site were compromised and pushed malware to user machines.

Uncovered by security researcher Arnaud Abbati, the hack affected three apps that we know of, including Deeper (personalization software), OnyX, and Firefox. By altering the site to point users to download links that were only subtly different from the correct URLs, they could trick users to download an infected disk image (.dmg) file. Because they look legitimate, users would likely install them as normal. The malware then goes to work, working through a convoluted process to download the actual malware payload and attempting to launch it to mine cryptocurrency.

During this stage, the malware appears to take steps to conceal its actions by launching a decoy, a copy of the actual software the user thought they were updating. It’s here that the sloppiness in the programming of the malware becomes clearer, as this process can either fail or result in the incorrect app launching. Clues such as this could quickly tip off users to the fact that something isn’t quite right. Ultimately, once the decoy process completes, the malware loads a command line-based utility that works to solve cryptographic problems using your system’s resources. It then passed any mined cryptocurrency (in this case, Monero) back to the author of the app.

Though the problem was noticed relatively quickly, and the offending links corrected, it still showcases some of the dangers inherent in using unofficial “app stores” to gather updates for your software, such as MacUpdate. While convenient, it is a potentially serious point of vulnerability; in fact, this is not the first time MacUpdate has served up malware by mistake. If you recently used this site — especially if you downloaded one of the affected apps — consider firing up your security software for a closer look at your system. Meanwhile, remember to always seek out updates from more official channels. While not foolproof (see last year’s Handbrake debacle), it reduces the likelihood of exposure to malware.

Join our mailing list for the latest security news and deals