The macOS malware, dubbed UpdateAgent, was found propagating for almost 14 months. It started circulating around November or December 2020 as a basic infostealer. However, the malware is getting more malicious by the day as its developers keep upgrading it.

Extra capabilities

  • The malware now has functionalities including pushing an aggressive second-stage adware payload, Adload, that installs a persistent backdoor.
  • The adware injects promotions and advertisements into search results and web pages. It, moreover, leverages a person-in-the-middle attack via a web proxy. This enables the attackers to pilfer ad revenue from official website holders.
  • Apart from sending data to the attacker server, it sends “heartbeats” to inform attackers that the malware is still running.
  • In the reconnaissance phase, UpdateAgent can gather SPHardwaretype and system profile data, which discloses the victim system’s serial number. 

Why this matters

  • The malware tricks its victims by mimicking legitimate software, such as support agents or video games, and propagates via hacked or malicious websites. 
  • It can take advantage of Mac device functionalities. UpdateAgent can evade Gatekeeper controls, a security feature that makes sure that only trusted applications are installed.
  • It can abuse existing user permissions to conduct malicious activities and subsequently, delete the evidence. 
  • The trojan, furthermore, exploits public cloud infrastructure—CloudFront and Amazon S3—to host additional payloads. 

The bottom line

As modern work environments are continually relying on a myriad of devices and different operating systems, organizations need to implement defense solutions that offer protection across all platforms. The evolution of UpdateAgent further highlights this. The malware developers have turned a simple infostealer into a sophisticated and persistent malware and it has gotten aggressive.

Cyware Publisher