Security researchers at Microsoft Security Intelligence have discovered a new version of UpdateAgent (aka WizardUpdate) that targets Mac devices. The malware, which was first detected in November 2020, is also capable of dropping on macOS adware.
The company noted that the new variant has a number of new capabilities, which make it harder to detect and remove due to increased persistence and evasion tactics.
“We recently discovered the latest variant of a Mac malware tracked as UpdateAgent (aka WizardUpdate) with new persistence and evasion tactics, the latest in a series of upgrades over the past year. Given its history, this Trojan will likely continue to grow in sophistication,” Microsoft tweeted.
Another capability of the malware is the use of public cloud infrastructure for hosting additional payloads.
One of the additional malware UpdateAgent installs is a new adware called Adload.
The malware can collect system information and sends it to a C2 server. But most importantly, it can also bypass Apple’s Gatekeeper security feature. To achieve this, it removes the downloaded file’s quarantine attributes.
Gatekeeper is the foundation of macOS security. It blocks downloaded malicious applications by enforcing their code signing. Like OSX/Dok malware, UpdateAgent can efficiently bypass the Gatekeeper security, which makes it a persistent threat.
The attackers use PlistBuddy to achieve persistence. Also, malware tries to delete created folders, files, and other artifacts to cover up its traces.
“The malware also leverages existing user permissions to create folders on the affected device. It uses PlistBuddy to create and modify Plists in LaunchAgent/LaunchDeamon for persistence. It then covers its tracks by deleting created folders, files, and other artifacts,” researchers tweeted.
The new variant also impersonates legitimate software; however, Microsoft did not reveal which software are being impersonated. It is believed that the malware is being distributed through drive-by downloads.