MacUpdate served up Mac cryptominer to unsuspecting users in Firefox, OnyX, and Deeper downloads on Feb. 1
Download aggregator MacUpdate briefly linked to three malicious applications masquerading as legitimate downloads for Firefox, OnyX, and Deeper, that not only install the apps, but also deposit a cryptocurrency miner on downloader's systems.
At some point on Feb. 1, MacUpdate updated legitimate download links to bogus installers for the three apps. According to Malwarebytes Labs, OnyX and Deeper by Titanium Software links were replaced by a very similar URL to the download, and Firefox downloads were redirected to an URL that was obviously not mozilla.net.
The payload was delivered as a .dmg file, but the installers were scripts that download and install the payload, plus retrieved a legitimate copy of the app in question to convince the user that the app installed properly. This particular hack was not well executed, with the OnyX app retrieved in the place of the Deeper app, and vice versa.
The installed malware was mining the Monero cryptocurrency, passing a protonmail user to a login authority.
The applications hosted by Titanium Software themselves, and Mozilla's native download of Firefox are uninfected.
This is not the first time that MacUpdate has hosted malware in downloads. The company itself was installing its own adware to non-subscribers computers for a few months in 2015. A second event in 2016 found fake application EasyDoc Converter distributing the OSX Eleanor ransomware for a period of time.
AppleInsider suggests that users either download applications from the developer's site directly, or from the Mac App Store. As a general rule, avoiding download aggregators that link directly to downloads outside the Mac App Store is a good security practice.