Microsoft’s security team has offered details on a piece of Mac malware that has over the last few years evolved from a simple information-gathering bit of malware to a more nasty bit of kit that can deliver other malicious payloads on your machine.
The Microsoft 365 Defender Threat Intelligence Team has dubbed it “UpdateAgent.” It first surfaced in September 2020 and has since rapidly morphed from being irritating to actually dangerous.
Since its first appearance in September 2020, the malware displayed an increasing progression of sophisticated capabilities, and while the latest two variants were sporting much more refined behavior compared with earlier versions, they show signs that the malware is still in the development stage and more updates are likely to come. The latest campaign saw the malware installing the evasive and persistent Adload adware, but UpdateAgent’s ability to gain access to a device can theoretically be further leveraged to fetch other, potentially more dangerous payloads.
UpdateAgent lures its victims by impersonating legitimate software and can leverage Mac device functionalities to its benefit. One of the most advanced techniques found in UpdateAgent’s latest toolbox is bypassing Gatekeeper controls, which are designed to ensure only trusted apps run on Mac devices.
The trojan can leverage existing user permissions to quietly perform malicious activities before deleting the evidence to cover its tracks. UpdateAgent also misuses public cloud infrastructure, namely Amazon S3 and CloudFront services, to host its additional payloads. Microsoft says it shared its findings with the Amazon Web Services team, and they have taken down the malicious URLs.
The malware is currently being used to install “unusually persistent” adware called Adload, UpdateAgent could be leveraged in the future to deliver more potentially dangerous attacks down the road.
“UpdateAgent is uniquely characterized by its gradual upgrading of persistence techniques, a key feature that indicates this trojan will likely continue to use more sophisticated techniques in future campaigns,” Microsoft said of the malware.
Happily, the malware isn’t installed in a “drive-by” manner, it requires a user to actually download a malicious file. Users can avoid downloading the file by staying in the brightly lit areas of the internet and only downloading and installing apps from trusted developers and through the Mac App Store. Don’t click on links in advertisements and do not download anything from pop-ups on any websites.
