CreativeUpdate is a malware that downloads and executes a crypto miner. The malware was found within a modified package of legitimate applications such as Firefox. The new bundle, which was signed by a legitimate Apple certificate, will execute a payload script that will download the miner and add it as a LaunchAgent.We can see below the modified Firefox application bundle. Mozilla Firefox is the malicious file, and the default file that will be executed.
In the picture we can see the real Firefox application bundle inside the Resources folder. The malware will execute a “script” which is the malware’s payload and will then launch the original Firefox application so the user won’t suspect anything. We can see the malicious script below: