Mac malware UpdateAgent only gets better over time.

microsoft

Getty Images

Mac malware known as UpdateAgent has been spreading for more than a year, and it is growing increasingly malevolent as its developers add new bells and whistles. The additions include the pushing of an aggressive second-stage adware payload that installs a persistent backdoor on infected Macs.

The UpdateAgent malware family began circulating no later than November or December 2020 as a relatively basic information-stealer. It collected product names, version numbers, and other basic system information. Its methods of persistence—that is, the ability to run each time a Mac boots—were also fairly rudimentary.

Person-in-The-Middle attack

Over time, Microsoft said on Wednesday, UpdateAgent has grown increasingly advanced. Besides the data sent to the attacker server, the app also sends “heartbeats” that let attackers know if the malware is still running. It also installs adware known as Adload.

Microsoft researchers wrote:

Once adware is installed, it uses ad injection software and techniques to intercept a device’s online communications and redirect users’ traffic through the adware operators’ servers, injecting advertisements and promotions into webpages and search results. More specifically, Adload leverages a Person-in-The-Middle (PiTM) attack by installing a web proxy to hijack search engine results and inject advertisements into webpages, thereby siphoning ad revenue from official website holders to the adware operators.

Adload is also an unusually persistent strain of adware. It is capable of opening a backdoor to download and install other adware and payloads in addition to harvesting system information that is sent to the attackers’ C2 servers. Considering both UpdateAgent and Adload have the ability to install additional payloads, attackers can leverage either or both of these vectors to potentially deliver more dangerous threats to target systems in future campaigns.

Before installing the adware, UpdateAgent now removes a flag that a macOS security mechanism called Gatekeeper adds to downloaded files. (Gatekeeper ensures users receive a warning that new software comes from the Internet, and it also ensures the software doesn’t match known malware strains.) While this malicious capability isn’t novel—Mac malware from 2017 did the same thing—its incorporation into UpdateAgent indicates the malware is under regular development.

UpdateAgent’s reconnaissance has been expanded to collect system profile and SPHardwaretype data, which, among other things, reveals a Mac’s serial number. The malware also started modifying the LaunchDaemon folder instead of the LaunchAgent folder as before. While the change requires UpdateAgent to run as administrator, the change allows the trojan to inject persistent code that runs as root.

The following timeline illustrates the evolution.

microsoft

Microsoft

Once installed, the malware collects the system info and sends it to the attackers’ control server and takes a host of other actions. The attack chain of the latest exploit looks like this:

microsoft

Microsoft

Microsoft said UpdateAgent masquerades as legitimate software, such as video apps or support agents, that is spread through pop-ups or ads on hacked or malicious websites. Microsoft didn’t explicitly say so, but users apparently must be tricked into installing UpdateAgent, and during that process, Gatekeeper works as designed.

In many ways, the evolution of UpdateAgent is a microcosm for the macOS malware landscape as a whole: malware continues to become more advanced. Mac users should learn how to spot social engineering lures, such as unsolicited pop-ups appearing in browser windows that warn of infections or unpatched software.

TECH NEWS RELATED

Credential Manager: UI Host is not responding RDP error

If Credential Manager is not working and showing UI Host is not responding error, these solutions will be helpful for you. It mainly appears when your computer cannot allocate a sufficient amount of RAM or Memory for open the Credential Manager. However, there could be other reasons too. This article ...

View more: Credential Manager: UI Host is not responding RDP error

Does your high school or college student need a MacBook?

Does your student need a MacBook: Why a MacBook? Overall best Why might you need more power? For video editors For photo editors For music producers Will a MacBook last? Those prices… Wrap-up Source: Apple When your youngster runs home from school, dumps their school bag on the sofa and ...

View more: Does your high school or college student need a MacBook?

Windows 11 Build 22621.169 Out for Insiders in the Release Preview Channel

After rolling out the much-awaited Windows 11 22H2 update in the Release Preview channel last month, Microsoft has now started rolling out a new cumulative update to Windows Insiders, running the Windows 11 build 22621 in the Release Preview channel. The update brings a few new features and a ...

View more: Windows 11 Build 22621.169 Out for Insiders in the Release Preview Channel

Best free Multipage TIFF Viewer software and online tools for Windows 11/10

If you are looking for a way to open a multipage TIFF file on your Windows 11/10 computer, then this post is surely helpful. TIFF stands for Tag Image File Format and it is used for storing raster graphics images. It supports high-quality images and graphic designers and/or other professionals ...

View more: Best free Multipage TIFF Viewer software and online tools for Windows 11/10

Microsoft: Windows Server 2012 reaches end of support in October 2023

Microsoft has reminded customers that Windows Server 2012/2012 R2 will reach its extended end-of-support (EOS) date next year, on October 10, 2023. Released in October 2012, Windows Server 2012 has entered its tenth year of service and has already reached the mainstream end date over three years ago, on ...

View more: Microsoft: Windows Server 2012 reaches end of support in October 2023

AMD Ryzen 7 6800H Review

For testing and reviewing the Ryzen 7 6800H, we’ll see how it performs up against a range of other laptop processors, but most importantly Intel’s competing Core i7-12700H, and AMD’s own predecessor, the Ryzen 7 5800H. We have a rough idea of how these parts will stack up after testing ...

View more: AMD Ryzen 7 6800H Review

What’s New in Windows 11’s 22H2 Update: Top 10 New Features

Windows 11 is getting its first big update with 22H2, which was codenamed “Sun Valley 2” during development. With Windows 11, Microsoft has moved to a yearly release cycle for major updates, leaving behind Windows 10’s frantic twice-per-year schedule. What You Need to Know This update is named 22H2 ...

View more: What’s New in Windows 11’s 22H2 Update: Top 10 New Features

Arkane wishes us welcome to Redfall in new video

Learn more about the titular town ahead of the game's 2023 release.

View more: Arkane wishes us welcome to Redfall in new video

How to Use Both Speakers and Headphones in Windows 11

Arcane wishes us welcome to Redfall in new video

How To Fix the “Network Path Was Not Found” Error On Windows 10

Acer Spin 5 SP513-55N Price in Malaysia & Specs

Microsoft Exchange backdoors abused to spy on NGOs worldwide

Servers with non-Intel CPUs to enjoy rising shipment shares over next two years, says DIGITIMES Research

Acer Swift X SFX14-42G Price in Malaysia & Specs

Acer Aspire 3 A315-57G Price in Malaysia & Specs

Acer Aspire 3 A315-59 Price in Malaysia & Specs

Download UC Player For Windows PC (Latest Version)

Acer Predator Triton 500 SE Price in Malaysia & Specs

Microsoft Defender 2022: Why It's Important for Android and iPhones

OTHER TECH NEWS

Top Car News Car News