Using Osquery to Identify OSX/CreativeUpdater Malware

Blog Author
Doug Wilson

The first week of February 2018 has seen another piece of macOS malware —  CreativeUpdater malware. This time a cryptominer masquerading as several different software packages on the MacUpdate.com website. Again, even a few days later, a lot of endpoint solutions are not necessarily picking this up, looking at VirusTotal.

The bogus software packages have been removed, and the second stage download binary for the malware has apparently been taken down as well. But if this made it into your enterprise, you may have macs that are now burning resources mining cryptocurrency, and that’s probably something you want to check on.

If you have osquery deployed, this is an easy task. The software packages all had the same things in common — they take a legitimate version of the app, and then package it with a script wrapper that attempts to run and retrieve the second stage of the malware, while running the original app as cover.

The attackers didn’t do a very good job with this, with some of the software not even being the software it claimed to be, thus failing when it actually ran. You can read details about it on Malwarebytes. Patrick Wardle has additional information on his blog about the version of this malware packaged with Firefox.

If the malware first stage script does run, it downloads and installs a command line crypto miner into ~/Library/mdworker/mdworker .

Since these programs don’t normally have the packaging script, and that is a non-standard location for mdworker, it’s fairly easy to make a query pack for the IOCs that indicate the presence of this malware.

We can check for the existence of the script file, or the bogus mdworker file using the following query:

SELECT * FROM file WHERE path = ‘/Applications/Firefox.app/Contents/Resources/script’
OR path LIKE ‘/Users/%/Applications/Firefox.app/Contents/Resources/script’
OR path = ‘/Applications/OnyX.app/Contents/Resources/script’
OR path LIKE ‘/Users/%/Applications/OnyX.app/Contents/Resources/script’
OR path = ‘/Applications/Deeper.app/Contents/Resources/script’
OR path LIKE ‘/Users/%/Applications/Deeper.app/Contents/Resources/script’
OR path LIKE ‘/Users/%/Library/mdworker/mdworker’;

We have to use the LIKE operator because we are using a wildcard for the username of any users on the system.

We can look for the running process with this query:

SELECT * FROM processes WHERE path LIKE ‘%/Library/mdworker/mdworker’;

again using the LIKE because we are using a wildcard in the path.

This threat appears short-lived, but we may see it repackaged again in the near future as part of another campaign. It’s likely that the mdworker in a non-standard location is a good indicator in general, and looking for that may stand you in good stead down the road. (note to self — some tactics on that might be good fodder for a future blog post!)

BONUS ROUND:

The other macOS malware of note so far this year after OSX/MaMi has been CrossRat (Patrick Wardle is a busy man!) — I didn’t have the time to dig in on that one, as I was catching up on things after Shmoocon, but again, the IOCs for macOS make for a quick and easy query:

For the file artifacts:

SELECT * FROM file WHERE path LIKE ‘/Users/%/Library/mediamgrs.jar’
OR path = ‘/Library/LaunchAgents/mediamgrs.plist’
OR path LIKE ‘/Users/%/Library/LaunchAgents/mediamgrs.plist’;

For the running process, you are looking to see if you can find java running this particular .jar file, and you do this by looking at the command line arguments for the process:

SELECT * FROM processes WHERE cmdline LIKE ‘%/Users/%/Library/mediamgrs.jar’

I hope this has been useful — osquery is a really great tool for quickly composing and checking hosts for IOCs like the above.