MacUpdate infiltrated to spread disguised Monero currency miners

The MacUpdate website has been hacked to spread software programs mining the Monero digital currency. The malicious programs use the computer’s CPU to solve complex algorithms after an unsuspecting victim downloads modified copies of OnyX, Deeper, and Firefox. The malware was reported by security research Arnaud Abbati who named the malware OSX.CreativeUpdate. MacUpdate has issued an apology for the issue and provided a user-friendly guide explaining how to remove the malicious programs. In the apology post, MacUpdate promises to pay more attention the software offered on their website.

The fraudsters seeking to mine Monero creatively deceived inexperienced Mac users by redirecting them to websites the URLs of which resemble the original URLs. The OnyX and Deeper programs are products of Titanium Software. The official website of the software creator is, but the malicious source of the software was registered as The ownership of the domain was not determined, leaving the attackers unidentified. The bogus Firefox application was spread by, whereas the legitimate domain is

Creating nefarious URLs similar to the legitimate ones is a frequently used technique to trick inexperienced users into downloading malware. This deception technique is known as URL spoofing, when cyber criminals create URLs that look identical or similar to the URL of the original website. To prevent redirections to forged sites, it is advisable to ignore links in emails even though the URL appears to be legitimate.

When the malicious (.dmg) file is downloaded from one of the fake software sources and launched, the user is requested to move the application to the Application folder. The same is asked by the original applications.

Upon installation, the malware connects to, which is a legitimate website,to download a payload. The fake software downloaded to the victim’s computer attempt to launch a copy of the original application that arrives at the computer as part of the malware.

The copy of the original application functions as a decoy application to hide vicious mining processes; however, that is not possible on all operating systems affected by the bogus OnyX software. For instance, the deceptive application runs on Mac OS X 10.7 and later versions, but the original application delivered to the victim’s computer requires MacOS 10.13. The malware runs on the versions earlier than 10.13, but the decoy application is not used to conceal the evil deeds. As for the Deeper application, the attackers accidentally added the OnyX app to function as the decoy, causing some failures in the hoax process.

Mining the Monero cryptocurrecy is carried out using the minergate-cli command-line tool. Moreover, regular connections to are made using the email

The Monero currency is a new Bitcoin-like currency offering new features and more privacy. The shift of the criminals’ interest in other currencies was noticed soon after law enforcement agencies adopted tools to track down bitcoin transactions. Moreover, the prices of Bitcoin started to decrease in 2018, suggesting that cyber criminals will be trying to find new ways of making profits. Monero has reportedly become the top currency in ransomware, and it is becoming clear that computer users are likely to have some issues with both ransomware and malware spreading Monero miners.

In order to minimize the risk of getting infected with malware, ransomware, adware, and other threats, security experts recommend downloading software only from its official website, but not aggregators or other third-party software distributors. Without a doubt, downloading software only from its authors does not guarantee that the computer will not get infected, but it is important to stay away from websites that could distribute ill-purposed software.

The MacUpdate website has been blacklisted by some security experts for over 2 years because of the attempts to trick users into changing browser settings and installing harmful programs. For example, Mac software is usually planted without an installer because it is enough to drag the program to the Application folder. MacUpdate is known to have created installers with conventional “Next” buttons making users inadvertently agree without reading.

Even though MacUpdate failed to notice that their page is used to spread OSX.CreativeUpdate, they have provided removal guidelines to help their affected users eliminate the malicious software. Here is the removal procedure you should follow:

  1. Delete the malicious program you have installed.
  2. Download and install a new legitimate copy of the selected program.
  3. Click Finder and press Command+Shift+H to open the Home folder.
  4. If the Library folder is not present, press and hold the key Option/Alt and click the Go menu. Select Library.
  5. Find the mdworker folder and delete it.
  6. Find the LaunchAgents folder.
  7. Open the folder and delete MacOS.plist and MacOSupdate.plist.
  8. Empty the Trash.
  9. Reboot the computer.


Kharif, Olga.The Criminal Underworld is Dropping Bitcoin for Another Currency. Bloomberg. January 2, 2018.
Pot, Justing.Why You Shouldn’t Downloade Mac Apps From MacUpdagte Any More. MakeUseof. Decemeber 16, 2015.
Reed, Tom.New Mac cryptominer distributed via a MackUpdate.. MalwareBytes.February 2, 2018.