WizardUpdate, the Mac-based adware, has been updated with new evasion and persistence techniques. The first variants of WizardUpdate were discovered in November 2020, and since then it has been receiving regular updates.
deploys secondary payloads downloaded from cloud infrastructure;
grabs the full download history for infected Macs by using SQLite;
bypasses Gatekeeper by removing quarantine attributes from downloaded payloads;
leveraging existing user profiles to execute commands;
modify PLIST files using PlistBuddy; and
changes the sudoers list to give admin permissions to regular users.
How does it operate now?
According to reports, the latest variant is posing as genuine software and drive-by downloads to propagate.
After infecting a targeted system, it scans for and collects system information that is uploaded to a C2 server.
The adware deploys a second-stage malware payload, along with a malware variant known as Adload.
The evasion features cover its tracks by deleting created folders, files, and other artifacts on the targeted systems. Meanwhile, the malware can use existing user permissions to create folders on the compromised device.
For persistence, hackers use PlistBuddy to create and make changes to Plists in LaunchAgent/LaunchDaemon.
WizardUpdate is now upgraded with new evasion features and persistence capabilities, making it harder to detect. To stay protected, experts recommend avoiding downloading any software or updates from a third-party download source to stay safe.