MacOS Malware UpdateAgent Grows Increasingly Malicious

Extra capabilities

• The malware now has functionalities including pushing an aggressive second-stage adware payload, Adload, that installs a persistent backdoor.
• The adware injects promotions and advertisements into search results and web pages. It, moreover, leverages a person-in-the-middle attack via a web proxy. This enables the attackers to pilfer ad revenue from official website holders.
• Apart from sending data to the attacker server, it sends “heartbeats” to inform attackers that the malware is still running.
• In the reconnaissance phase, UpdateAgent can gather SPHardwaretype and system profile data, which discloses the victim system’s serial number. 

Why this matters

• The malware tricks its victims by mimicking legitimate software, such as support agents or video games, and propagates via hacked or malicious websites. 
• It can take advantage of Mac device functionalities. UpdateAgent can evade Gatekeeper controls, a security feature that makes sure that only trusted applications are installed.
• It can abuse existing user permissions to conduct malicious activities and subsequently, delete the evidence. 
• The trojan, furthermore, exploits public cloud infrastructure—CloudFront and Amazon S3—to host additional payloads. 

The bottom line