Insidious Mac malware is getting more sophisticated

Insidious Mac malware is getting more sophisticated

Mac malware is known as UpdateAgent has been circulating for over a year and is becoming more malicious as its developers add new bells and whistles. Additions include the push of an aggressive second stage of adware that installs a permanent rollback on infected Macs.

The UpdateAgent malware family began circulating no later than November or December 2020. as a relatively basic information thief. It collects product names, version numbers, and other basic system information. Its persistence methods—that is, the ability to start every time the Mac boots—were also pretty rudimentary.

Attack man in the middle

Over time, Microsoft said Wednesday, UpdateAgent has become more advanced. In addition to the data sent to the attacking server, the app also sends “heartbeats” that let attackers know if the malware is still running. It also installs adware known as Adload.

Microsoft researchers write:

Once installed, the adware uses software and ad injection techniques to intercept the device’s online communications and redirect user traffic through the adware operators’ servers, injecting ads and promotions into web pages and search results . Specifically, Adload uses a Person-in-The-Middle (PiTM) attack by installing a web proxy to hijack search engine results and inject ads into web pages, thus draining ad revenue from official website owners to adware operators.

Adload is also an unusually resistant strain of adware. It is capable of opening a backdoor to download and install other adware and payloads in addition to collecting system information that is sent to the attackers’ C2 servers. Given that both UpdateAgent and Adload have the ability to install additional payloads, attackers could use either or both vectors to deliver potentially more dangerous threats to target systems in future campaigns.

Before installing the adware, UpdateAgent now removes a flag that a macOS security mechanism called Gatekeeper adds to downloaded files. (Gatekeeper ensures that users are alerted that new software is coming from the Internet, and also ensures that the software does not match known types of malware.) Although this malicious capability is not new—the Mac malware of 2017. did the same – its inclusion in UpdateAgent indicates that malware is under regular development.

UpdateAgent intelligence has been extended to collect System Profile and SPHardwaretype data, which reveal the Mac’s serial number, among other things. The malware also started changing the LaunchDaemon folder instead of the LaunchAgent folder as before. While the change requires UpdateAgent to run as an administrator, the change allows the Trojan to inject persistent code that runs as root.

The following timeline illustrates the evolution.

Courtesy of Microsoft

Leave a Reply

Your email address will not be published. Required fields are marked *