UpdateAgent, a macOS malware, has been observed in the wild with a new variant. The recent development shows the ongoing effort of malware authors into upgrading the malware’s functionalities.

What has happened?

Researchers from Jamf Threat Labs have detected the new variant and claimed that it uses the AWS infrastructure for hosting different payloads and updating infection status to the server.
  • The new dropper is a Swift-based executable, which masquerades as Mach-O binaries such as PDFCreator and ActiveDirectory. 
  • Upon execution, it makes a connection to a remote server and obtains bash scripts identified as bash_qolveevgclr[.]sh and activedirec[.]sh.
  • These scripts have a URL directing to Amazon S3 buckets to obtain and run a second-stage DMG file to the infected endpoint.

The other dropped file

In many cases, another plist and binary combination is dropped by a PDFCreator called ActiveDirectory. 
  • This additional dropped file is almost identical to the PDFCreator executable.
  • The main difference is that ActiveDirectory reaches a different URL from which it is expected to load a bash script.

What else?

The downloaded DMG contained an application, whose file name within the DMG, seems to be created with random words. Subsequently, this application is copied to the /tmp directory. 
  • The path to the newly created application is saved within the $TMPFILE variable created earlier. 
  • The malware makes changes to the /etc/sudoers file with a certain command so that a basic user can execute or run the  $TMPFILE script as root without requiring a password.


UpdateAgent operators appear to be putting a lot of effort into updating their malware to keep it effective. Further, the malware operators are expected to remain active and may attempt to target more users. It is recommended to stay alert for suspicious behaviors of rogue apps downloaded from unknown sources.
Cyware Publisher