CreativeUpdate is a malware that downloads and executes a crypto miner. The malware was found within a modified package of legitimate applications such as Firefox. The new bundle, which was signed by a legitimate Apple certificate, will execute a payload script that will download the miner and add it as a LaunchAgent.We can see below the modified Firefox application bundle. Mozilla Firefox is the malicious file, and the default file that will be executed.

Source: Objective-See


In the picture we can see the real Firefox application bundle inside the Resources folder. The malware will execute a “script” which is the malware’s payload and will then launch the original Firefox application so the user won’t suspect anything. We can see the malicious script below:


Source: CheckPoint


Links:


Samples:
236c36efb907c51d180539c50ee0e510fbf7c338