Apple updates its malware removal tool, MRT

Apple is in the process of pushing an update to its malware removal tool, MRT, bringing it to version 1.29.

Although Apple neither announces such updates nor reveals their changes, this new version of MRT adds code to deal with two malware products, named by Apple as OSX.Mudminer.A and OSX.Nwm0zjrk.A. Security experts consider that OSX.Mudminer.A is Apple’s in-house name for OSX.CreativeUpdate, which was inadvertently spread by malicious links posted to MacUpdate between 1 and 2 February 2018. OSX.Nwm0zjrk.A remains unidentified.

This new version of MRT has a build date of 9 February 2018. Assuming that OSX.Mudminer.A and OSX.CreativeUpdate are one and the same, this gives an unusually precise timeline for this:

  • 1 Feb – release via MacUpdate
  • 2 Feb – removal of download links from MacUpdate
  • 2 Feb – Malwarebytes detects and removes, other products following rapidly
  • 9 Feb – MRT new version built for release
  • 14 Feb – Apple pushes MRT update.

Distribution of the malware appears to have ceased once MacUpdate (and secondary aggregators) removed links on 1-2 February.

Not new, but worth noting, is MRT’s coverage of several unwanted or malicious Safari extensions. These currently include:

  • Omnibar.safariextz, part of Genieo
  • GoldenBoy.safariextz
  • Nariabox.safariextz
  • Perfetnight.safariextz
  • Smokycap.safariextz
  • Smokycap-2.safariextz
  • SearchConnect.safariextz
  • SafariProxy, part of Dok.

You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.

A full listing of security data file versions is given by LockRattler and SystHist for El Capitan, Sierra and High Sierra, available from Downloads above. If your Mac has not yet updated MRT itself, you can force an update using LockRattler, or at the command line.

I maintain lists of the current versions of security data files for Sierra on this page, for High Sierra on this page, and for El Capitan on this page.

I also maintain a detailed listing of the individual malware which the current versions of XProtect and MRT detect and remove in this article.