dmg (disk image) files, and they look pretty convincing. This is a common scammer trick to make you think it’s coming from a legitimate site.) (Notice the domain ends in, which is definitely not the same as. The fake Firefox app was distributed from . According to a statement posted in the comments for each of the affected apps on the MacUpdate website, this happened sometime on February 1.īoth OnyX and Deeper are products made by Titanium Software (), but the site was changed maliciously to point to download URLs at , a domain first registered on January 23, and whose ownership is obscured.
The malware was spread via hack of the MacUpdate site, which was distributing maliciously-modified copies of the Firefox, OnyX, and Deeper applications. This malware, which Abbati has named OSX.CreativeUpdate, is a new cryptocurrency miner, designed to sit in the background and use your computer’s CPU to mine the Monero currency. Early this morning, security researcher Arnaud Abbati of SentinelOne tweeted about new Mac malware being distributed via MacUpdate.
