A new form of the macOS malware known as UpdateAgent has been discovered in the wild, showing that its makers are still working on improving its capabilities.
“Perhaps one of the most identifiable features of the malware is that it relies on the AWS infrastructure to host its various payloads and perform its infection status updates to the server,” researchers from Jamf Threat Labs said.
UpdateAgent, initially discovered in late 2020, has since grown into a malware dropper, allowing the dissemination of second-stage payloads like adware while also circumventing macOS Gatekeeper defenses. The newly found Swift-based dropper is disguised as Mach-O binaries called “PDFCreator” and “ActiveDirectory,” which, when run, establish a connection to a remote server and receive a bash script to run.
According to the researchers, the main difference [between the two executables] is that it connects to a different URL from which it should load a bash script. The “activedirec.sh” or “bash_qolveevgclr.sh” bash scripts include a URL to Amazon S3 buckets where a second-stage disk image (DMG) file may be downloaded and executed to the compromised endpoint.
The developers of the UpdateAgent malware are constantly updating it. It’s recognized for having a well-built backend that lets it be readily updated. While adware families delivered by it are revealed, security experts are afraid that with such a well-built infrastructure, there might be further harmful intentions in the future.
Because of the often-updated behavioral analytics, Jamf Protect customers are protected against the known, current families of this malware, including numerous distinct detections around questionable actions and possibly undesirable programs.