UpdateAgent, a macOS malware, was discovered to have been active for nearly 14 months. As a rudimentary infostealer, it began circulating about November or December 2020. The malware, on the other hand, is becoming more dangerous by the day as its creators continue to improve it.
Additional capabilities
- Adload, an aggressive second-stage advertising payload that instals a persistent backdoor, is now part of the malware’s functionality.
- Advertisements and promotions are injected into search results and web pages by the adware. It also uses a web proxy to carry out a man-in-the-middle attack. This allows the attackers to steal ad income from the owners of official websites.
- It sends “heartbeats” to tell attackers that the malware is still active, in addition to providing data to the attacker server.
- UpdateAgent can collect SPHardwaretype and system profile data during the reconnaissance phase, revealing the serial number of the victim system.
Why is this significant?
- The malware imitates legitimate software, such as help agents or video games, and spreads through hacked or malicious websites to fool its victims.
- It can make use of the capabilities of Mac devices. Gatekeeper controls, a security mechanism that ensures that only trustworthy apps are installed, are bypassed by UpdateAgent.
- It can take advantage of current user permissions to carry out nefarious actions and then remove the evidence.
- Furthermore, the trojan makes use of public cloud infrastructure, such as CloudFront and Amazon S3, to host additional payloads.
Last But Not Least
Organizations must install defensive solutions that provide security across all platforms, as modern work environments rely on a variety of devices and operating systems. This is emphasised even more by UpdateAgent’s evolution. The malware creators have evolved a simple data stealer into a complex, persistent, and aggressive pathogen.